Google AI Predict API: anonymous authentication for website

After reading each of these Q&As,

• google api machine learning can I use an API KEY?
• how to use google AI platform online predictions?
• How to authenticate GCP AI Platform Predictions using HTTP requests

I am still at a loss to know how to enable simple authentication for the AI Platform Predict API that doesn't need any sign-ins or OAuth screens.

My scenario is the following: we have a static website which allows the user to enter some data, the website (client) sends the data to the model for prediction via the API, and when the results come back, the website shows them to the user. We don't want the user to have to sign in or identify themselves in any way. Just input some data, push a button, and get the results.

However, as far as I've been able to search, there is no way of doing this (the documentation on authentication is in my view confusing, there are multiple overlapping articles and it is difficult to determine what applies in a specific case); you have to use some sort of OAuth which makes the user sign in with a Google account.

Is there really no way to have the website itself authenticated but not the individual users? E.g. using an API key or service account key?

If OAuth is the only way, does that mean users who want to use the website must have a Google Account? And how do I enable it: should I create an OAuth Client ID, or is it the OAuth consent screen?

The recommended practice here is that all the OAuth should happen server-side, where the GCP Service Account JSON key is stored on some backend server.

I am going to answer your question by assuming that your website is hosted on App Engine, but your website could be hosted any where on other GCP products as Cloud Run or any other hosting providers.

• In backend webserver you can make the AI Platform predict request using Service Account JSON, then you would need to configure your website to talk to this backend.

Website ----HTTP Request to App Engine URL------> App Engine (code---)--------> AI Platform

So the App Engine backend performs the authentication on behalf of the website client, as Lak clarifies here; since the requests will be passing your GCP Service Acount JSON Key, then they gain access to send the specific HTTP requests to their backend server, which makes the AI Platform calls.

In your case, you do not want the users to access your Google data, you simply want provide them access to your own AI Platform model.

Basically you can just use Client Library on server-side and it automatically does OAuth for you, as long as environment variable is set to Service Account key.

Note: You only need to do Google OAuth IF you want access to a person's Google resources (e.g Google Doc, Calendar, GCP project, etc)