This post describes some of the frequently used Google cloud GCP auth types and troubleshooting tips while authenticating with gcloud CLI and ADC.
Following are the two frequently used methods and they both are different:
- Authenticate to run
gcloudcommands using user credentials/service account key file. - Authenticate to a GCP Service using a programming language.
1. Authenticate to run gcloud commands using user credentials/service account key file.
We can use gcloud CLI tool for Google Cloud administration. Run below command to authenticate using user credentials.
gcloud auth loginRun below command to authenticate gcloud using service account key file.
gcloud auth activate-service-account SERVICE_ACCOUNT@DOMAIN.COM --key-file=/path/key.json 2. Authenticate to a GCP Service using a Programming Language.
Google authentication libraries used in programming languages(like Python, Terraform HCL) find credentials using a strategy called Application Default Credentials (ADC).
Application Default Credentials (ADC) searches for credentials in the following order in local development environments:
- GOOGLE_APPLICATION_CREDENTIALS Variable
- User credentials created by gcloud CLI
GOOGLE_APPLICATION_CREDENTIALS Variable
We can use GOOGLE_APPLICATION_CREDENTIALS env variable to provide the location of a service account key file.
We can use following commands to export variable.
export GOOGLE_APPLICATION_CREDENTIALS=/path/key.json
User credentials created by gcloud CLI
You can provide user credentials to ADC by running below command.
gcloud auth application-default loginWhen we run above gcloud command successfully it creates a JSON file containing the credentials provided by our Google user account in following locations.
$HOME/.config/gcloud/application_default_credentials.jsonNote: The credentials you provide to ADC by running gcloud auth application-default login are different from your gcloud auth login credentials.
Troubleshooting Tips for gcloud auth
When you are getting access denied errors while running gcloud commands check which account credentials are used, by running below command.
gcloud auth list if you are using wrong account you can switch to another authenticated account by running below command. this can be done for service accounts as well.
gcloud config set account user@example.comto revoke authentication for one particular account run below command.
gcloud auth revoke user@example.comto revoke access to all authenticated accounts in local development environment, run below command.
gcloud auth revoke --allTroubleshooting Tips for ADC
ADC checks credentials in an order, first it uses credential file exported by GOOGLE_APPLICATION_CREDENTIALS variable.
to see which file is exported via GOOGLE_APPLICATION_CREDENTIALS variable, run below command.
env| grep GOOGLE_APPLICATION_CREDENTIALSTo allow ADC to use user provided credentials(from gcloud auth application-default login), unset GOOGLE_APPLICATION_CREDENTIALS variable. to unset the variable run below command.
unset GOOGLE_APPLICATION_CREDENTIALSNote: once you finished running the above command applications like Terraform and Python SDKs start using $HOME/.config/gcloud/application_default_credentials.json file for authentication credentials. if it has expired credentials, you need to run gcloud auth application-default login again to renew credentials.
If you have GCP auth token and don’t know which account it belongs to you can use below command to verify it.
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=<auth-token>You can find more information on Google cloud GCP auth types and troubleshooting tips in official documentation.
Click here to know how to rotate GCP IAM Service Account Keys with Terraform.