[SOLVED] The Python script for updating rules in the Cloud Armor in Google Cloud Platform by REST API

The Python script for updating rules in the Cloud Armor in Google Cloud Platform by REST API

I want to write a Python script that will update or add new rules to Cloud Armor in Google Cloud Platform using the Compute Engine REST API.

But I have several doubts:

Is the official Google Cloud Client Library for Python suitable for this purpose (if not what you propose)?
Which Python package should I install for this purpose?
Is this standard authentication (JSON file that contains my private key and correctly setting the environment variable GOOGLE_APPLICATION_CREDENTIALS) enough to connect to this API for the purpose that I want to achieve?

I am asking for directions.

Solution

A Python script would be a good way to go, and you can use the Google APIs Python client library to achieve this.

The Google Cloud Client Library for Python may not be sufficient, but the Google Cloud Client Libraries are the latest and recommended client libraries for calling Google Cloud APIs.

Compute Engine v1 securityPolicies REST API resource provides a list of methods that you need, such as addRule, getRule and patchRule to add a new rule, retrieve and update an existing rule respectively.

Checkout the PyDoc reference for the Compute Engine API for a full list of methods with explanations on how to use them.

Also, the Python Package (Google API Python Client Library) is what you need to use.

The standard authentication you mentioned provides a useful method for authorizing requests to the Compute Engine API via the Python Client Library.

According to the official doc: GCP client libraries use a strategy called Application Default Credentials (ADC) to find your application's credentials. When your code uses a client library, the strategy checks for your credentials in the following order:

First, ADC checks to see if the environment variable GOOGLE_APPLICATION_CREDENTIALS is set. If the variable is set, ADC uses the service account file that the variable points to. The next section describes how to set the environment variable.

If the environment variable isn't set, ADC uses the default service account that Compute Engine, Kubernetes Engine, App Engine, and Cloud Functions provide, for applications that run on those services.

If ADC can't use either of the above credentials, an error occurs.

Finally, ensure that the user accounts you choose to use have the correct IAM permissions required to configure Cloud Armor on Compute engine.