Search code examples
authenticationgoogle-cloud-platformgcloudservice-accounts

Which command is correct, if i want to use a gcp service account to perform glcoud command local

I need to local in cmd do use some gcloud commands and i need to be authenticated as a Service-Acocunt, the json-key-file of that service account is saved in my local folder. And I am not clear:

  • what is the difference between the 3 commands below?
  • the 3 commands which one has more power and can overwirte the others?
  • for my purpose, which one should i use?

1.

gcloud auth default-application login

//as i know, this one is NOT the same as "glcoud auth login", but what is the difference?

When should i use this?

I know after this command, i will get this json file in my folder C:\Users<MyUserName>\AppData\Roaming\gcloud\application_default_creidentials.json

What does ADC (Application Default Credetial) mean?

Which Setting can overwrite this setting?

2.

set GOOGLE_APPLICATION_CREDENTIALS=${PATH}/${SERVICE-ACCOUNT-KEY-FILE-NAME}.json

// if i only do command 3, i guess i do not have to use this command 2? What is the difference between command 2 and command 3? Which one has more power?

3.

gcloud auth activate-service-account "${SERVICE-ACCOUNT-EMAIL}" --key-file=${PATH}/${SERVICE-ACCOUNT-KEY-FILE-NAME}.json --project=${PROJECT_ID}

gcloud config set account ${SERVICE-ACCOUNT-EMAIL}

Thank you!

Solution

  • As long as you can, you should avoid to use service account key file. it's a security bad practice and can create issues in your project.

    enter image description here

    I strongly recommend to avoid the option 2 and 3 for that reason.

    The option 1 is great but with a problem: you use your own account, and thus your own permission. Not the permission of a service account.

    If you want to use the service account permission, you can impersonate the service account like that

    gcloud auth application-default login --impersonate-service-account=<Service account email>

    Note that you made a mistake in the command gcloud auth default-application login you inverted default and application

    To complete this command, you, your user account, must have the role "service account token creator" on the service account (or on the project/folder/organisation which contains it)

    That being said, let me explain the ADC mechanism. The client library are built to automatically discover the current runtime environment credential and perform tests in that order:

    • Check if the environment variable GOOGLE_APPLICATION_CREDENTIALS is set. (your option 2 has the highest precedence)
    • Check the well known location, the place where the gcloud auth store the credential files on Linux and Windows
    • Check if the metadata server is deployed on the runtime environment; That metadata server is always deployed with any Google Cloud services, on Google Cloud. It provide credential when required

    A word about your option 3. In fact, option 1 and 2 set credential for the application-default context, means when you run code and the client libraries looks for credentials in the runtime environment.

    The option 3 set the service account credentials with the service account key file for the gcloud CLI. Not the your own code. It's a different scope.