Search code examples
google-cloud-platformgcloud

gcloud auth how to check if logged in, in a headless manner?

I am trying to check if one's application credentials are still valid, in a headless manner.

  • gcloud auth application-default print-access-token will prompt for a password, so it's not headless.
  • gcloud auth login --brief ends up pulling up a browser, so it's not headless.

Is there some way to check if credentials are still valid, without logging in?

To address some comments, I am using a user account. This is what I am seeing:

> gcloud auth application-default print-access-token
Reauthentication required.
Please enter your password:

The password it is prompting for here is my Google Account password.

Here is my gcloud info output:

Google Cloud SDK [468.0.0]

Platform: [Mac OS X, arm] uname_result(system='Darwin', node='User-Computer.local', release='23.3.0', version='Darwin Kernel Version 23.3.0: Wed Dec 20 21:30:59 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T6030', machine='arm64')
Locale: ('en_US', 'UTF-8')
Python Version: [3.12.2 (main, Feb 28 2024, 10:45:25) [Clang 15.0.0 (clang-1500.1.0.2.5)]]
Python Location: [/Users/user/code/repo/venv/bin/python3]
OpenSSL: [OpenSSL 3.2.1 30 Jan 2024]
Requests Version: [2.25.1]
urllib3 Version: [1.26.9]
Default CA certs file: [/opt/homebrew/Caskroom/google-cloud-sdk/466.0.0/google-cloud-sdk/lib/third_party/certifi/cacert.pem]
Site Packages: [Enabled]

Installation Root: [/opt/homebrew/share/google-cloud-sdk]
Installed Components:
  gsutil: [5.27]
  core: [2024.03.08]
  bq: [2.0.101]
  gcloud-crc32c: [1.0.0]
System PATH: [/Users/user/code/repo/venv/bin:/Users/user/.pyenv/shims:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/Users/user/.local/bin:/Users/user/.oh-my-zsh/custom/plugins/diff-so-fancy:/opt/homebrew/opt/fzf/bin]
Python PATH: [/opt/homebrew/Caskroom/google-cloud-sdk/466.0.0/google-cloud-sdk/lib/third_party:/opt/homebrew/Caskroom/google-cloud-sdk/466.0.0/google-cloud-sdk/lib:/opt/homebrew/share/google-cloud-sdk/lib:/Users/user/.pyenv/versions/3.12.2/lib/python312.zip:/Users/user/.pyenv/versions/3.12.2/lib/python3.12:/Users/user/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload:/Users/user/code/repo:/Users/user/code/repo/venv/lib/python3.12/site-packages]
Cloud SDK on PATH: [False]
Kubectl on PATH: [/usr/local/bin/kubectl]

Installation Properties: [/opt/homebrew/share/google-cloud-sdk/properties]
User Config Directory: [/Users/user/.config/gcloud]
Active Configuration Name: [default]
Active Configuration Path: [/Users/user/.config/gcloud/configurations/config_default]

Account: [email@example.com]
Project: [project]
Universe Domain: [googleapis.com]

Current Properties:
  [core]
    account: [email@example.com] (property file)
    disable_usage_reporting: [true] (property file)
    project: [project] (property file)

Logs Directory: [/Users/user/.config/gcloud/logs]
Last Log File: [/Users/user/.config/gcloud/logs/2024.03.13/09.22.57.790126.log]

git: [git version 2.44.0]
ssh: [OpenSSH_9.4p1, LibreSSL 3.3.6]
Solution

  • When talking about GCP, there are two different kinds of authentication:

    • authentication for the gcloud CLI
    • authentication for other software (e.g. Python programs) running on your computer that needs to access GCP, using gcloud Application Default Credentials (ADC)

    You can read about the difference here.

    GCloud CLI authentication test

    You can try to run a command that should be available to all users, regardless of IAM roles. For example: gcloud auth print-access-token or gcloud projects list.

    In a bash script, you could use it like this:

    if gcloud projects list &> /dev/null; then
    echo "logged"
else
    echo "not logged"
fi

    I couldn't find it in the documentation, but from reading the gcloud source code it appears that with some configurations or auth methods the CLI might ask for a password prompt to reauthenticate the session. In that case, you could "defeat" the stdin with the --quiet parameter or by passing an empty string to it:

    if echo "" | gcloud projects list &> /dev/null; then
    echo "logged"
else
    echo "not logged"
fi

    ADC authentication test

    your initial attempt was correct, as explained in the documentation gcloud auth application-default print-access-token will print an auth token only if ADC is set up correctly on your machine, with valid credentials.

    The password prompt you are experiencing can be disabled in the same way as above, with the --quiet parameter or by passing an empty string to it.

    if echo "" | gcloud auth application-default print-access-token &> /dev/null; then
    echo "logged"
else
    echo "not logged"
fi