Can I authenticate gcloud cli using both service account and user credentials?

gcloud gcloud-cli
James Healy picture James Healy · Jul 9, 2018 · Viewed 9.2k times · Source

Google API clients typically recognise the GOOGLE_APPLICATION_CREDENTIALS environment variable. If found, it's expected to point to a JSON file with credentials for either a service account or a user.

Service account credentials can be downloaded from the GCP web console and look like this:

{
  "type": "service_account",
  "project_id": "...",
  "private_key_id": "...",
  "private_key": "...",
  "client_email": "...",
  "client_id": "...",
  "auth_uri": "...",
  "token_uri": "...",
  "auth_provider_x509_cert_url": "...",
  "client_x509_cert_url": "..."
}

User credentials are often available in ~/.config/gcloud/application_default_credentials.json and look something like:

{
  "client_id": "...",
  "client_secret": "...",
  "refresh_token": "...",
  "type": "authorized_user"
}

Here's an example of the official google rubygem detecting the type of credentials provided via the environment var.

I'd like to authenticate an unconfigured gcloud install with both types of credential. In our case we happen to be passing the GOOGLE_APPLICATION_CREDENTIALS variable and path into a docker container, but I think this is a valid question for clean installs outside docker too.

If the credentials file is a service account type, I can do this:

gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}

However I can't see any way to handle the case where the credentials belong to a real user.

Questions:

  1. Why doesn't the official gcloud tool follow the conventions that other google API clients use and use GOOGLE_APPLICATION_CREDENTIALS when available?
  2. Is there a hidden method that will activate the user credentials case?

Answer

cherba picture cherba · Jul 9, 2018

As you point out gcloud command line tool (CLI) does not use application default credentials. It has separate system for managing its own credentials.

GOOGLE_APPLICATION_CREDENTIALS are designed for client libraries to simplify wiring in credentials, and gcloud CLI is not a library. Even in the client code best practice is not to depend on this environment variable but instead explicitly provide credentials.

To answer your second question, user credentials can be obtained via

gcloud auth login

command. (NOTE this is different from gcloud auth application-default login) This besides saving actual credentials will also set account property in current configuration:

 gcloud config list

gcloud can have many configurations, each with different credentials. See

gcloud config configurations list

You can create multiple configurations, one with user account another with service account and use it simultaneously by providing --configuration parameter, for example

gcloud compute instances list --configuration MY_USER_ACCOUNT_CONFIG

Similarly you can also switch which credentials are used by using --account flag, in which case it will use same configuration and will only swap out the account.

Related questions

Gcloud command line get default project_id

I'm looking for a one-liner to get the default project id with gcloud config list core/project give me Your active configuration is: [default] [core] project = myproject_id While I want to have only myproject_id. The goal is to …

Read More
How to change the active configuration profile in gcloud?

I have created a new configuration profile using command: gcloud init and now I don't know how to switch to old configuration profile without override it. Using gcloud config I can't switch to another configuration only set a property of …

Read More
Find out where Google Cloud SDK is installed

I need to add the Google Cloud SDK in the PATH. So I need the path to where is installed. Is there any gcloud ... command which gives me this information? If not I have to go through the symlink in …

Read More