The following example shows several important steps to call Google Cloud APIs without using an SDK in Python. Similar code works in just about any language (c#, java, php, nodejs).

Change the source code with the filename of your service account Json file, your Google Zone and your Project ID.

This example will list the instances in one zone for the specified project. From this example you will know the framework to call almost any Google Cloud API.

This code will show you how to:

  1. How to load service account credentials from a Json file.
  2. How to extract the Private Key used to sign requests.
  3. How to create a JWT (Json Web Token) for Google Oauth 2.0.
  4. How to set the Google Scopes (permissions).
  5. How to sign a JWT to create a Signed-JWT (JWS).
  6. How to exchange the Signed-JWT for a Google OAuth 2.0 Access Token.
  7. How to set the expiration time. This program defaults to 3600 seconds (1 Hour).
  8. How to call a Google API and set the Authorization Header.
  9. How to process the returned Json results and display the name of each instance.

Example program in Python 3.x:

Update: tokens created after October 23, 2021

If you print the access token, you might notice the token is padded with dots (period characters). Google plans to roll out security and reliability improvements. One of these changes is increasing the size of the OAuth tokens to 2048 bytes. During the testing phase tokens are padded with dots (period characters). Do not truncate or remove those padding characters.

For more details read this Google notice:

Hello Google Cloud Customer,

We’re writing to let you know that on August 23, 2021, we will roll out security and reliability improvements that will increase the sizes of OAuth 2.0 access tokens that your services may be using to call Google Cloud Platform APIs.

The access token size increase will only impact services that don’t conform to the access token size limits of 2048 bytes established on Google’s Developer guide and RFC 6749. If your service falls into this category, please continue reading and take action as outlined below.

What do I need to know?

The enhancement described above will increase the access token size issued to your services that authorize to Google Cloud APIs. Please consider that:

The overall access token size will continue to remain within the 2048 bytes limit documented in Google’s Developer guide and public documentation. Google’s OAuth 2.0 access tokens will also continue to conform to the standards defined in The OAuth 2.0 Authorization framework RFC 6749. Verification Phase

To be able to identify services that may be impacted, we are launching a verification phase. In this phase we will serve projects with access tokens that have been artificially inflated with extra padding and monitor the size of the token that we receive back from these projects.

The purpose of this phase is to identify the projects that will be affected once the enhancement described above takes place. Even if your services end up trimming this extra padding in the token to limit its size, the token will remain valid and calls to Google Cloud APIs should succeed while allowing us to pinpoint these services that do trim tokens. We will notify the project owner(s) accordingly to make the recommended changes to these services before August 23, 2021, rollout and avoid potential outage of these services.

On August 23, 2021, we will roll out security and reliability improvements that will increase the sizes of OAuth 2.0 access tokens for all projects.

Unlike the specially padded tokens that were sent during the verification phase, these tokens will not have a padding and the token itself will be larger compared to current tokens. We will also remove all projects from the exception-list and begin issuing the larger access tokens to all Google Cloud Platform (GCP) projects. After this time, if your services continue to trim the access tokens size, then their calls to Google Cloud APIs will fail. What do I need to do?

We strongly recommend that you use the documented token size limits of 2048 bytes and to remove any logic in your services/code that restricts its ability to process access tokens of certain sizes.

Please consider that:

If you haven’t built your Google Cloud APIs services’ frameworks based on access token size limits, no action is required from your part. If your services expect access tokens to meet certain size limits then these services may be impacted and their calls to Google Cloud APIs may fail. If we detect that the token sizes are being trimmed by services in this project, we will notify you by July 30, 2021, and automatically enroll the impacted projects into an exception-list. Projects in this exception-list will revert to receiving the currently available smaller access tokens until August 23, 2021. This verification phase will give you enough time to make the recommended changes to your service/code. Please use this form to enroll specific projects by June 7, 2021. For us to do the verification, we require you to follow these steps below in the specified timeline:

From now and until June 7, 2021: You can opt-in to enroll specific projects to receive the specially padded longer access tokens that could be up to 2048 bytes in size. We will monitor the access token size we send and receive back from these projects. On June 21, 2021: We will automatically enroll all GCP projects to receive the specially padded larger tokens. You can opt-out your projects from this phase by filling this form by June 7, 2021. If we don’t hear from you by June 7, 2021, we will send these projects the padded access tokens and monitor the token size we receive back from them.

Also, see my answer on Stack Overflow.