Before you can make requests to Earth Engine through a client library, you must authenticate and use the resultant credentials to initialize the Earth Engine client. If you are making direct requests through the REST API, you need to use credentials to make authenticated requests. You may need credentials to authenticate to other Google Cloud services programmatically. This page describes the process of Authentication and Initialization for various environments.
Earth Engine Code Editor
Authentication and initialization are handled automatically. You may choose to route requests through a Cloud Project from your login at the upper right of the Code Editor.
Authentication with Earth Engine client library helpers
The client libraries, JavaScript and Python (including the command line interface), have authentication helpers that generate narrowly-scoped credentials, suitable for using Earth Engine but not other Google Cloud services. If you can't create and/or don't have access to a Cloud Project configured to use Earth Engine, use the Code Editor or a client library helper to authenticate to Earth Engine.
Python
If you are using the Python API,
ee.Authenticate()
will create and save credentials that will automatically be used by
ee.Initialize()
. See
the Earth Engine Python
installation page for details.
JavaScript
If you are using the JavaScript API (outside of the Code Editor), use one of the
authentication helpers in ee.data
(for example,
ee.data.authenticateViaPopup()
)
followed by ee.initialize()
as shown in this example.
Authentication with a Credentials
object
You can use Credentials for authentication with Earth Engine and other Google Cloud services. The following describes general purpose methods for obtaining credentials that may be used with Earth Engine or other Google Cloud services.
gcloud
The gcloud
command
line interface is a set of tools to create and manage Google Cloud resources.
gcloud
can help you create and manage OAuth2 credentials.
The following gcloud
command
(learn
more about this command) establishes credentials and sets an environment variable pointing
to them:
gcloud auth application-default login --scopes='https://www.googleapis.com/auth/devstorage.full_control','https://www.googleapis.com/auth/earthengine'
Running that command on a machine with an Earth Engine client library will create credentials
that can be used to initialize the Earth Engine client. Note that
this authentication flow requires gcloud
to be installed on a machine
with browser access. Also note that you must specify scopes when authenticating as an
end-user
(learn
more). The scopes in the above command are the most minimal required to use the
Earth Engine service.
Colab
If you are using a Colab notebook, you can use the Colab auth
helper:
from google.colab import auth auth.authenticate_user()
Service Account
If you are authenticating as a service account, you can obtain credentials using
this
method. Other methods include authenticate_service_account
in the Colab
auth
module and the methods described in the
Cloud guide to
authenticating as a service account.
Compute Engine Virtual Machine (VM)
If your code is running on a Compute Engine VM, a default service account is created for the environment. You may need to register the service account to use Earth Engine if the Cloud Project through which the VM was started is not registered for use with Earth Engine (commercial or non-commercial).
Initialization
Once you have created credentials, you can use them to initialize an Earth Engine client. When you initialize, provide a Cloud Project through which Earth Engine calls are routed. To pick up default credentials created from through one of the methods described above, run:
credentials, project_id = google.auth.default() ee.Initialize(credentials, project='your-project')
Note that the scopes of credentials loaded from google.auth.default()
are
determined from the compute environment and may not meet your needs. Specifically, they
may be more broad than you need for using Earth Engine. Although broader scopes are useful
for authenticating to other Google Cloud clients, services or APIs, you may want to avoid
overly broad scopes for security reasons.
Also note that your-project
must have the Earth Engine API enabled and
either you, the service account or the project is registered to use Earth Engine. See
this reference
for details.
If you don't have a Cloud Project and can't create one, follow these instructions.