This post describes some of the frequently used Google cloud GCP auth types and troubleshooting tips while authenticating with gcloud CLI and ADC.
Following are the two frequently used methods and they both are different:
- Authenticate to run
gcloudcommands using user credentials/service account key file.
- Authenticate to a GCP Service using a programming language.
1. Authenticate to run
gcloud commands using user credentials/service account key file.
We can use gcloud CLI tool for Google Cloud administration. Run below command to authenticate using user credentials.
gcloud auth login
Run below command to authenticate gcloud using service account key file.
gcloud auth activate-service-account SERVICE_ACCOUNT@DOMAIN.COM --key-file=/path/key.json
2. Authenticate to a GCP Service using a Programming Language.
Google authentication libraries used in programming languages(like Python, Terraform HCL) find credentials using a strategy called Application Default Credentials (ADC).
Application Default Credentials (ADC) searches for credentials in the following order in local development environments:
- GOOGLE_APPLICATION_CREDENTIALS Variable
- User credentials created by gcloud CLI
We can use GOOGLE_APPLICATION_CREDENTIALS env variable to provide the location of a service account key file.
We can use following commands to export variable.
User credentials created by gcloud CLI
You can provide user credentials to ADC by running below command.
gcloud auth application-default login
When we run above gcloud command successfully it creates a JSON file containing the credentials provided by our Google user account in following locations.
Note: The credentials you provide to ADC by running gcloud auth application-default login are different from your gcloud auth login credentials.
Troubleshooting Tips for gcloud auth
When you are getting access denied errors while running gcloud commands check which account credentials are used, by running below command.
gcloud auth list
if you are using wrong account you can switch to another authenticated account by running below command. this can be done for service accounts as well.
gcloud config set account email@example.com
to revoke authentication for one particular account run below command.
gcloud auth revoke firstname.lastname@example.org
to revoke access to all authenticated accounts in local development environment, run below command.
gcloud auth revoke --all
Troubleshooting Tips for ADC
ADC checks credentials in an order, first it uses credential file exported by GOOGLE_APPLICATION_CREDENTIALS variable.
to see which file is exported via GOOGLE_APPLICATION_CREDENTIALS variable, run below command.
env| grep GOOGLE_APPLICATION_CREDENTIALS
To allow ADC to use user provided credentials(from gcloud auth application-default login), unset GOOGLE_APPLICATION_CREDENTIALS variable. to unset the variable run below command.
Note: once you finished running the above command applications like Terraform and Python SDKs start using $HOME/.config/gcloud/application_default_credentials.json file for authentication credentials. if it has expired credentials, you need to run gcloud auth application-default login again to renew credentials.
If you have GCP auth token and don’t know which account it belongs to you can use below command to verify it.
You can find more information on Google cloud GCP auth types and troubleshooting tips in official documentation.
Click here to know how to rotate GCP IAM Service Account Keys with Terraform.