gcloud alias for Application Default Credentials

Shell alias script that will print the active in-use account for GCP application default credentials (ADC).

For example, if you run either

  • gcloud config list
  • gcloud auth list

this script will print the gcloud cli credentials as well as the application default credentials that are in use. This script will also transparently pass and apply parameters to the actual gcloud cli (meaning the alisas it acts as if its gcloud)

This script is not supported by Google

As background, users can configure gcloud to use two different credential sets: one for the gcloud cli and one for any google cloud SDK library. Sometimes it’s difficult to know which identity is used for ADC since there isn’t an easy way to show that. For example, the following commands shows how two identities in use but only one is shown in gcloud config list:

$ gcloud config list[core]
account = alice@domain.com <<<<<<<<<<<<<<<
project = your-project-id

Now print the identity used in gcloud cli operations…notice its alice@domain.com

However, any cloud SDK operation could use a different identity at the same time for ADC…in this case its bob@domain.com:

Now, if you use this alias, a gcloud config list will now show both credentials:

$ gcloud config list[adc]
account = bob@domain.com
source = /home/bob/.config/gcloud/application_default_credentials.json
[core]
account = alice@domain.com
project = your-project-id

Usage/Install

To use, install jq and yq to parse json and yaml:

apt-get install jq
pip3 install yq

then just create a file called galias.sh, make it executable, then alias it:

chmod u+x /path/to/galias.sh
alias gcloud='/path/to/galias.sh'

add the alias to your .profile to make it permanent

You can apply json and yaml display parsing gcloud supports:

  • json
$ gcloud config list --format json
{
"core": {
"account": "alice@domain.com",
"project": "your-project-id"
},
"adc": {
"account": "bob@domain.com"
}
}
  • yaml
$ gcloud config list --format yaml
core:
account: alice@domain.com
project: your-project-id
adc:
account: bob@domain.com

The rendering of json and yaml with the additional adc.account= value is done after gcloud finishes applying any formatting. What that means is this script does NOT support advanced formatting (eg you cannot use gcloud config list --format="value(ac.account)". Instead use jq,yq on the whole command:

$ gcloud config list --format=json  | jq -r '.adc.account'
bob@domain.com
$ gcloud config list --format=yaml | yq -r '.adc.account'
bob@domain.com

Test Cases

Note, the home directory is always for alice since she is the logged in user to the OS

A) No ADC

$ gcloud auth application-default revoke
You are about to revoke the credentials stored in:
[/home/alice/.config/gcloud/application_default_credentials.json]
Credentials revoked.$ unset GOOGLE_APPLICATION_CREDENTIALS
$ gcloud config list
[adc]
account =
source =
[core]
account = alice@domain.com
project = your-project-id

B) gcloud CLI with key file

$ gcloud config list
[adc]
account = bob@domain.com
source = /home/alice/.config/gcloud/application_default_credentials.json
[core]
account = alice@domain.com
project = your-project-id
$ gcloud auth activate-service-account --key-file=/path/to/svc-account.json$ gcloud config list
[adc]
account = bob@domain.com
source = /home/alice/.config/gcloud/application_default_credentials.json
[core]
account = svc-account@your-project-id.iam.gserviceaccount.com
project = your-project-id

This is intended since gcloud auth activate-service-account configures gcloud cli and does not impact ADC

C) ADC with with GOOGLE_APPLICATION_CREDENTIALS

$ gcloud config list
[adc]
account = bob@domain.com
source = /home/alice/.config/gcloud/application_default_credentials.json
[core]
account = alice@domain.com
project = your-project-id
$ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/svc-account.json$ gcloud config list
[adc]
account = svc-account@your-project-id.iam.gserviceaccount.com
source = /path/to/svc-account.json
[core]
account = alice@domain.com
project = your-project-id

D) With Metadata Server

$ gcloud config list
[adc]
account = gce-svc-account@your-project-id.iam.gserviceaccount.com
source = metadata
[core]
account = gce-svc-account@your-project-id.iam.gserviceaccount.com
project = your-project-id

E) Metadata Server without Service Account

$ gcloud config list
[adc]
account =
source =
[core]
project = your-project-id

F) GOOGLE_APPLICATION_CREDENTIALS with external_account

For use with federation:

The ADC credentials are empty since gcloud cli does not currently support it. It is possible to rearrange the script to check for the type of env-var variable set and display the ‘source’ as external_account but that’s a TODO…

--

--

--

A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Recommended from Medium

Step into Parallel computing

SaaS ERP vs Cloud ERP: Which One is Right for You?

DevOps Journey # Part 2

The facial recognition API that never fails

Programming Languages

Creating the RSI-Stochastic Indicator and Back-testing it in Python.

Serialization Cake— Part One

The Swym Product Update — November 2018

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
salmaan rashid

salmaan rashid

More from Medium

Understanding Google Cloud IAM concepts with stick figures

Google DevOps — Agility with Cost-Optimization

How to Automate Dataset Comparison Using Terraform And BigQuery

Taking a first look at Google Cloud Architecture Diagramming Tool