Cloud IAM C++ Client Library

Table of Contents

• Quickstart
• Setting up your repo
• Environment Variables
• Error Handling
• Override the default endpoint
• Override the authentication configuration
• Next Steps

The Cloud IAM C++ Client library offers types and functions to use Cloud IAM from C++ applications.

This library requires a C++14 compiler. It is supported (and tested) on multiple Linux distributions, macOS, and Windows.

Quickstart

The following instructions show you how to perform basic tasks in Cloud IAM using the C++ client library.

Before you begin

1. Select or create a Google Cloud Platform (GCP) project using the manage resource page. Make a note of the project id as you will need to use it later.
2. Make sure that billing is enabled for your project.
3. Learn about key terms and concepts for Cloud IAM.
4. Setup the authentication for the examples:
   • [Configure a service account][gcloud-authorizing],
   • or [login with your personal account][gcloud-authorizing]

Setting up your repo

In order to use the Cloud IAM C++ client library from your own code, you'll need to configure your build system to fetch and compile the Cloud C++ client library. The Cloud IAM C++ client library natively supports the Bazel and CMake build systems. We've created a minimal, "Hello world", quickstart repo that includes detailed instructions on how to compile the library for use in your application. You can fetch the source from GitHub as normal:

git clone https://github.com/googleapis/google-cloud-cpp.git
cd google-cloud-cpp/google/cloud/iam/quickstart

Example: Hello World

The following shows the code that you'll run in the google/cloud/iam/quickstart/ directory, which should give you a taste of the Cloud IAM C++ client library API.

// Copyright 2021 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
 
#include "google/cloud/iam/iam_client.h"
#include "google/cloud/project.h"
#include <iostream>
 
int main(int argc, char* argv[]) try {
  if (argc != 2) {
    std::cerr << "Usage: " << argv[0] << " <project-id>\n";
    return 1;
  }
 
  // Create a namespace alias to make the code easier to read.
  namespace iam = ::google::cloud::iam;
  iam::IAMClient client(iam::MakeIAMConnection());
  auto const project = google::cloud::Project(argv[1]);
  std::cout << "Service Accounts for project: " << project.project_id() << "\n";
  int count = 0;
  for (auto sa : client.ListServiceAccounts(project.FullName())) {
    if (!sa) throw std::move(sa).status();
    std::cout << sa->name() << "\n";
    ++count;
  }
  if (count == 0) std::cout << "No Service Accounts found.\n";
 
  return 0;
} catch (google::cloud::Status const& status) {
  std::cerr << "google::cloud::Status thrown: " << status << "\n";
  return 1;
}

Environment Variables

There are several environment variables that can be set to configure certain behaviors in the library.

• GOOGLE_CLOUD_CPP_IAM_CREDENTIALS_ENDPOINT=... overrides the EndpointOption (which defaults to "iamcredentials.googleapis.com") used by MakeIAMCredentialsConnection().
• GOOGLE_CLOUD_CPP_IAM_ENDPOINT=... overrides the EndpointOption (which defaults to "iam.googleapis.com") used by MakeIAMConnection().
• GOOGLE_CLOUD_CPP_IAM_POLICY_ENDPOINT=... overrides the EndpointOption (which defaults to "iam-meta-api.googleapis.com") used by MakeIAMPolicyConnection().
• GOOGLE_CLOUD_CPP_POLICIES_ENDPOINT=... overrides the EndpointOption (which defaults to "iam.googleapis.com") used by MakePoliciesConnection().
• GOOGLE_CLOUD_CPP_ENABLE_TRACING=rpc turns on tracing for most gRPC calls. The library injects an additional Stub decorator that prints each gRPC request and response. Unless you have configured you own logging backend, you should also set GOOGLE_CLOUD_CPP_ENABLE_CLOG to produce any output on the program's console.
• GOOGLE_CLOUD_CPP_TRACING_OPTIONS=... modifies the behavior of gRPC tracing, including whether messages will be output on multiple lines, or whether string/bytes fields will be truncated.
• GOOGLE_CLOUD_PROJECT=... is used in examples and integration tests to configure the GCP project.
• GOOGLE_CLOUD_CPP_ENABLE_CLOG=yes turns on logging in the library, basically the library always "logs" but the logging infrastructure has no backend to actually print anything until the application sets a backend or they set this environment variable.

Error Handling

This library never throws exceptions to signal errors. In general, the library returns a StatusOr<T> if an error is possible. Some functions return objects that are not wrapped in a StatusOr<> but will themselves return a StatusOr<T> to signal an error. For example, wrappers for asynchronous operations return future<StatusOr<T>>.

Applications should check if the StatusOr<T> contains a value before using it, much like how you might check that a pointer is not null before dereferencing it. Indeed, a StatusOr<T> object can be used like a smart-pointer to T, with the main difference being that when it does not hold a T it will instead hold a Status object with extra information about the error.

You can check that a StatusOr<T> contains a value by calling the .ok() method, or by using operator bool() (like with other smart pointers). If there is no value, you can access the contained Status object using the .status() member. If there is a value, you may access it by dereferencing with operator*() or operator->(). As with all smart pointers, callers must first check that the StatusOr<T> contains a value before dereferencing and accessing the contained value. Alternatively, callers may instead use the .value() member function which is defined to throw a RuntimeStatusError if there is no value.

Note

If you're compiling with exceptions disabled, calling .value() on a StatusOr<T> that does not contain a value will terminate the program instead of throwing.

Example

  namespace iam = ::google::cloud::iam;
  [](std::string const& project_id) {
    iam::IAMClient client(iam::MakeIAMConnection());
    int count = 0;
    // The actual type of `service_account` is
    // google::cloud::StatusOr<google::iam::admin::v1::ServiceAccount>, but
    // we expect it'll most often be declared with auto like this.
    for (auto const& sa :
         client.ListServiceAccounts("projects/" + project_id)) {
      // Use `service_account` like a smart pointer; check it before
      // de-referencing
      if (!sa) {
        // `service_account` doesn't contain a value, so `.status()` will
        // contain error info
        std::cerr << sa.status() << "\n";
        break;
      }
      std::cout << "ServiceAccount successfully retrieved: " << sa->name()
                << "\n";
      ++count;
    }
  }

Override the default endpoint

In some cases, you may need to override the default endpoint used by the client library. Use the google::cloud::EndpointOption when initializing the client library to change this default.

For example, this will override the default endpoint for iam::IAMClient:

  // This configuration is common with Private Google Access:
  //     https://cloud.google.com/vpc/docs/private-google-access
  auto options = google::cloud::Options{}.set<google::cloud::EndpointOption>(
      "private.googleapis.com");
  auto client = google::cloud::iam::IAMClient(
      google::cloud::iam::MakeIAMConnection(options));

Follow these links to find examples for other *Client classes: iam::IAMClient iam::IAMCredentialsClient iam::IAMPolicyClient iam_v2::PoliciesClient

Override the authentication configuration

Some applications cannot use the default authentication mechanism (known as Application Default Credentials). You can override this default using google::cloud::UnifiedCredentialsOption. The following example shows how to explicitly load a service account key file.

  [](std::string const& keyfile) {
    auto is = std::ifstream(keyfile);
    is.exceptions(std::ios::badbit);  // Minimal error handling in examples
    auto contents = std::string(std::istreambuf_iterator<char>(is.rdbuf()), {});
    auto options =
        google::cloud::Options{}.set<google::cloud::UnifiedCredentialsOption>(
            google::cloud::MakeServiceAccountCredentials(contents));
    return google::cloud::iam::IAMClient(
        google::cloud::iam::MakeIAMConnection(options));
  }

Follow these links to find examples for other *Client classes: iam::IAMClient iam::IAMCredentialsClient iam::IAMPolicyClient iam_v2::PoliciesClient

Keep in mind that we chose this as an example because it is relatively easy to understand. Consult the Best practices for managing service account keys guide for more details.

See also

Authentication Components - for more information on the factory functions to create google::cloud::Credentials objects.

Next Steps

Testing your Cloud IAM application with googlemock Testing your Cloud IAM Credentials application with googlemock