Search code examples
gcloudgcloud-cli

Can I authenticate gcloud cli using both service account and user credentials?

Google API clients typically recognise the GOOGLE_APPLICATION_CREDENTIALS environment variable. If found, it's expected to point to a JSON file with credentials for either a service account or a user.

Service account credentials can be downloaded from the GCP web console and look like this:

{
  "type": "service_account",
  "project_id": "...",
  "private_key_id": "...",
  "private_key": "...",
  "client_email": "...",
  "client_id": "...",
  "auth_uri": "...",
  "token_uri": "...",
  "auth_provider_x509_cert_url": "...",
  "client_x509_cert_url": "..."
}

User credentials are often available in ~/.config/gcloud/application_default_credentials.json and look something like:

{
  "client_id": "...",
  "client_secret": "...",
  "refresh_token": "...",
  "type": "authorized_user"
}

Here's an example of the official google rubygem detecting the type of credentials provided via the environment var.

I'd like to authenticate an unconfigured gcloud install with both types of credential. In our case we happen to be passing the GOOGLE_APPLICATION_CREDENTIALS variable and path into a docker container, but I think this is a valid question for clean installs outside docker too.

If the credentials file is a service account type, I can do this:

gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}

However I can't see any way to handle the case where the credentials belong to a real user.

Questions:

  1. Why doesn't the official gcloud tool follow the conventions that other google API clients use and use GOOGLE_APPLICATION_CREDENTIALS when available?
  2. Is there a hidden method that will activate the user credentials case?
Solution

  • I've found a way to authenticate a fresh gcloud when GOOGLE_APPLICATION_CREDENTIALS points to a file with user credentials rather than service account credentials. 

    cat ${GOOGLE_APPLICATION_CREDENTIALS}
{
 "client_id": "aaa",
 "client_secret": "bbb",
 "refresh_token": "ccc",
 "type": "authorized_user"
}

gcloud config set auth/client_id aaa                                                                                             
gcloud config set auth/client_secret bbb                                                                                     
gcloud auth activate-refresh-token user ccc

    This uses the undocumented auth activate-refresh-token subcommand - which isn't ideal - but it does work.

    Paired with gcloud auth activate-service-account --key-file=credentials.json, this makes it possible to initialize gcloud regardless of the credential type available at $GOOGLE_APPLICATION_CREDENTIALS