Last Updated: January 2023
Up to this point, you've been using your personal Google account to authenticate with Google Earth Engine (see: 1. Handle GEE Authentication). However, when you run an app that uses Google Earth Engine in a production environment, you will not want it to be using your personal credentials. Instead you will use a service account, which is an account associated with an application instead of a user.
This tutorial requires you to already have a service account registered with Google Earth Engine. If you do not already have a service account, follow the instructions here: How do I create a service account?. It may take several days for your registration application to be reviewed and approved.
The following topics are covered in this tutorial:
Create Google Service Account Keys
Use Service Account for Google Earth Engine Operations
If you wish to use the previous solution as a starting point:
git clone https://github.com/tethysplatform/tethysapp-earth_engine.git cd tethysapp-earth_engine git checkout -b rest-api-solution rest-api-solution-4.1
After you have setup your service account, you will need to create a key that the app can use to authenticate with Google Earth Engine.
Navigate to https://console.developers.google.com/.
Open the project that contains your Google Earth Engine Service Account using the drop-down menu located to the right of "Google APIs" in the header of the page.
Select Credentials from the left-hand navigation menu.
Click on the email or edit button of the service account you registered to see the account details.
Select the KEYS tab.
Press the Add Key button and select Create new key.
Select JSON and press CREATE.
Locate the file that was downloaded an place it in a secure location.
The only copy of the key you generated is contained in the file that was downloaded. You cannot download it again. If you lose the file, repeat the process to generate a new key and delete the old one.
The app needs to be configured to use the service account key that you downloaded in the previous step. Fortunately, the code is already in place to handle service accounts. You simply need to add your credentials to the
Open the key file you downloaded in the previous step.
client_emailvalue from the key file into the
Enter the path to the key file in the
As mentioned above, the logic is already in place to handle the service account. This is located at the top of
if gee_account.service_account: try: credentials = ee.ServiceAccountCredentials(gee_account.service_account, gee_account.private_key) ee.Initialize(credentials) except EEException as e: print(str(e)) else: try: ee.Initialize() except EEException as e: from oauth2client.service_account import ServiceAccountCredentials credentials = ServiceAccountCredentials.from_p12_keyfile( service_account_email='', filename='', private_key_password='notasecret', scopes=ee.oauth.SCOPE + ' https://www.googleapis.com/auth/drive ' ) ee.Initialize(credentials)
Until now, the app has not had service account credentials, so it has been using the logic in the
else clause of the conditional statement.
Please make sure you are using the latest version of the earthengine-api when authenticating with your service account for the first time. Using an old version in the first authetication can cause a 404 error. After the initial authetication older version of the earthengine-api can be used.
Navigate to http://localhost:8000/apps/earth-engine/viewer/ and verify the following:
Load several datasets and ensure the imagery is displayed on the map.
Test the Plot Area of Interest capability.
Upload a boundary shapefile and verify that the imagery is clipped to the extents of that boundary.
You will not be able to debug or monitor the status of tasks submitted by the service account through the Google Earth Engine Code Editor, because it is a separate account from your account.