How to authenticate with gcloud using just access token?

Question

So I would like to know if there is a way to authenticate gcloud utility command via an access token? E.g. if I obtained an access token via gcloud auth print-access-token and then on another computer, do gcloud auth ${access_token}

Is that possible?

Answer 1

To use an access token directly is possible in three ways as outlined here, and summarized by me below:

1. Declaring the CLOUDSDK_AUTH_ACCESS_TOKEN environment variable, see https://cloud.google.com/sdk/docs/authorizing

2. --access-token-file flag, see https://cloud.google.com/sdk/gcloud/reference#--access-token-file.

3. Configuration of --access-token-file, see https://cloud.google.com/sdk/gcloud/reference/config/set and search for access_token_file

Practical experience

I tried some things using Google Cloud SDK 413.0.0 and the Python client google-storage-client and learned somethings of relevance.

1. Options work with gcloud, but not all clients

All of the options below worked to setup the gcloud CLI with credentials.

• export CLOUDSDK_AUTH_ACCESS_TOKEN=<access token>
• gcloud config set auth/access_token_file $(pwd)/my-access-token.txt
• gcloud storage ls <bucket> --access_token_file=$(pwd)/my-access-token.txt

2. Python clients don't respect options listed above

In this github issue, support for CLOUDSDK_AUTH_ACCESS_TOKEN by Google's Python libraries is requested.

However, they can consume access tokens directly like this:

# Example on using a temporary GCP access token.
# 
# To acquire a token from some location, run
# 
#     gcloud auth print-access-token
#
# To use it with python libraries like google-cloud-storage, first create a
# credentials object to pass to the client.
#
import getpass
from google.cloud import storage
from google.oauth2.credentials import Credentials

# import an access token
# - option 1: read an access token from a file
with open("my-access-token.txt") as f:
    access_token = f.read().strip()
# - option 2: read an access token from user input
access_token = getpass.getpass("Enter access token: ")

# setup a storage client using credentials
credentials = Credentials(access_token)
storage_client = storage.Client(credentials=credentials)

# test the storage client by trying to list content in a google storage bucket
bucket_name = "something"  # don't include gs:// here
blobs = list(storage_client.list_blobs(bucket_name))
print(len(blobs))

Answer 2

Gcloud auth tokens expire in 60 minutes by default I think.

To provide long running access to another person or device you would use IAM to provide access to their account to perform the function you need them to do (by them doing their own gcloud auth).

If that's not an option you could create a service account, export a key for that service account, and provide the key to them which they could authenticate from the console/terminal by setting the GOOGLE_APPLICATION_CREDENTIALS variable prior to performing gcloud commands.

e.g.

export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"

Resources

• Grant an IAM role by using the Google Cloud console
• Creating and managing service accounts
• Getting started with authentication - Setting the environment variable