How to use GOOGLE_APPLICATION_CREDENTIALS with gcloud on a server

gcloudgoogle-cloud-platform

What is the simplest way to use the gcloud command line non-interactively with a Service Account outside of GCE? Preferably without littering the file system with credentials files, which is what gcloud auth activate-service-account --key-file=... does.

There are many use cases for using gcloud with a service account. For example, on a server, I would like to test that the GOOGLE_APPLICATION_CREDENTIALS is correctly set and has the required permissions before running my application. Or, I would like to run some setup scripts or cron scripts that perform some check with the gcloud command line.

Google Cloud libraries (e.g. python, java) automatically use the environment variable GOOGLE_APPLICATION_CREDENTIALS to authenticate to Google Cloud. But unfortunately, this command line seems to have no effect on gcloud. What is a clean way to use gcloud while leaving the filesystem intact?

$ GOOGLE_APPLICATION_CREDENTIALS=/etc/my-service-account-4b4b6e63aaed.json gcloud alpha pubsub topics publish testtopic hello
ERROR: (gcloud.alpha.pubsub.topics.publish) You do not currently have an active account selected.
Please run:

  $ gcloud auth login

to obtain new credentials, or if you have already logged in with a
different account:

  $ gcloud config set account ACCOUNT

to select an already authenticated account to use.

Best Answer

gcloud generally does not use GOOGLE_APPLICATION_CREDENTIALS environment variable. It only has some commands to facilitate setting up these application default credentials in gcloud auth application-default [login|revoke|print-access-token...].

By default gcloud stores its configuration in ${HOME}/.config/gcloud. It is possible to override that location by setting CLOUDSDK_CONFIG environment variable.

Also it is possible (though more tedious) to override most setting so that they do not need to be preconfigured via gcloud config set ... and/or gcloud auth activate-service-account. For each setting one can specify environment variable.

For example the equivalent command you tried to use service account key file would be:

$ CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/etc/my-service-account-4b4b6e63aaed.json \
    gcloud alpha pubsub topics publish testtopic hello

Note that this will still cache credentials in CLOUDSDK_CONFIG since it needs to cache access-token, so that it wont have to refresh it on each invocation.

For your use case best option in my view would be

  1. Set CLOUDSDK_CONFIG to some temp directory
  2. gcloud auth activate-service-account --key-file=...
  3. ... use gcloud to do your work ...
  4. Remove temp CLOUDSDK_CONFIG directory.
Related Topic