I have a (maybe unique?) use case in some Python scripts that I am running. Namely, I want the parallel awesomeness of <code>gsutil</code> and so I don't do <code>from google.cloud import storage</code>, rather I use <code>subprocess</code> calls such as: <pre class="prettyprint"><code>subprocess.Popen(["gsutil", "-q", "-m", "-o", "GSUtil:parallel_process_count=8,GSUtil:parallel_thread_count=8", "cp", files, destination]) </code></pre> in order to upload and download files from buckets. In an instance group template I can pass in the service account via <code>-scopes</code>, but I'd like authentication to be handled at the application level. I tried setting environment variables and passing it to <code>subprocess</code>: <pre class="prettyprint"><code>os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "keyfile.json" tmp_env = os.environ.copy() subprocess.Popen(['gsutil', ...], env=tmp_env) </code></pre> but to no avail. Running: <pre class="prettyprint"><code>gcloud auth activate-service-account --key-file /path/to/keyfile.json --project my-project -q </code></pre> seems to be the best way to authenticate with a json keyfile that does not require the Python API. But it doesn't work if I throw it in at the end of my Dockerfile, and while I could of course throw it in at the end of a startup.sh script that I have executed at the end of an instance group template embedded bootstrap.sh script, neither is really accomplishing what I'd like. Namely, both get away from my original goal of having "gsutil authentication" at the application level. tl;dr Is there a way to pass keyfile.json credentials to <code>gsutil</code>? Is this a feature the gsutil team has ever discussed? My apologies if I just haven't been hunting the Cloud Platform and gsutil docs well enough.

You can provide a pointer to a JSON key file for <code>gsutil</code> in your <code>.boto</code> configuration file like so: <pre class="prettyprint"><code>[Credentials] gs_service_key_file = /path/to/your/keyfile.json </code></pre> This is equivalent to running <code>gsutil config -e</code> for a standalone (non-<code>gcloud</code>) install. If you want to provide this on the command line as opposed to in your <code>.boto</code> configuration file, you can use the <code>-o</code> parameter similar to how you configured the process and thread counts in your command line. To wit: <pre class="prettyprint"><code>subprocess.Popen(["gsutil", "-q", "-m", "-o", "Credentials:gs_service_key_file=/path/to/your/keyfile.json", "-o", "GSUtil:parallel_process_count=8", "-o", GSUtil:parallel_thread_count=8", "cp", files, destination]) </code></pre> Note that you need to make sure the key file path is accessible from within your container.

Can you pass a keyfile.json to gsutil?

Tags:

google-cloud-storage

gsutil

I have a (maybe unique?) use case in some Python scripts that I am running. Namely, I want the parallel awesomeness of gsutil and so I don't do from google.cloud import storage, rather I use subprocess calls such as:

subprocess.Popen(["gsutil", "-q", "-m", "-o", "GSUtil:parallel_process_count=8,GSUtil:parallel_thread_count=8", "cp", files, destination])

in order to upload and download files from buckets.

In an instance group template I can pass in the service account via -scopes, but I'd like authentication to be handled at the application level. I tried setting environment variables and passing it to subprocess:

os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "keyfile.json"
tmp_env = os.environ.copy()
subprocess.Popen(['gsutil', ...], env=tmp_env)

but to no avail. Running:

gcloud auth activate-service-account --key-file /path/to/keyfile.json --project my-project -q

seems to be the best way to authenticate with a json keyfile that does not require the Python API. But it doesn't work if I throw it in at the end of my Dockerfile, and while I could of course throw it in at the end of a startup.sh script that I have executed at the end of an instance group template embedded bootstrap.sh script, neither is really accomplishing what I'd like. Namely, both get away from my original goal of having "gsutil authentication" at the application level.

tl;dr Is there a way to pass keyfile.json credentials to gsutil? Is this a feature the gsutil team has ever discussed? My apologies if I just haven't been hunting the Cloud Platform and gsutil docs well enough.

780

asked Apr 20 '17 23:04

shogekiha

1 Answers

You can provide a pointer to a JSON key file for gsutil in your .boto configuration file like so:

[Credentials]
gs_service_key_file = /path/to/your/keyfile.json

This is equivalent to running gsutil config -e for a standalone (non-gcloud) install.

If you want to provide this on the command line as opposed to in your .boto configuration file, you can use the -o parameter similar to how you configured the process and thread counts in your command line. To wit:

subprocess.Popen(["gsutil", "-q", "-m", "-o", "Credentials:gs_service_key_file=/path/to/your/keyfile.json",
                 "-o", "GSUtil:parallel_process_count=8", "-o", GSUtil:parallel_thread_count=8", "cp", files, destination])

Note that you need to make sure the key file path is accessible from within your container.

answered Sep 18 '22 15:09

Travis Hobrla

Related questions
                            
                                How to call refFromURL in Firebase Cloud Function
                            
                                XMLHttpRequest CORS to Google Cloud Storage only working in preflight request
                            
                                How can I specify a region for the Cloud Storage buckets used by Cloud Build for a Cloud Run deployment?
                            
                                Can a Cloud Function read from Cloud Storage?
                            
                                Google Storage access based on IP Address
                            
                                copy file from Google Drive to Google Cloud Storage within Google
                            
                                Cloud Storage - No 'Access-Control-Allow-Origin' header is present on the requested resource for AngularJS view
                            
                                PUT files to Google Cloud Storage (GCS) via Signed URLs
                            
                                Is it possible to wget / curl protected files from GCS?
                            
                                Unable to authenticate Google Cloud Storage client in python
                            
                                Can't backup GAE application datastore to GS bucket
                            
                                Delete all files in 'folder' or with prefix in Google Cloud Bucket from Java
                            
                                gsutil make bucket command [gsutil mb] is not working
                            
                                Permissions For Google Cloud SQL Import Using Service Accounts
                            
                                Signing URLs with JWT for Google Cloud Storage using PHP
                            
                                Is there a limit to the length of metadata values in Google Cloud Storage?
                            
                                How to set access permissions of google cloud storage bucket folder
                            
                                Batch request with Google Cloud Storage python client
                            
                                What is the difference between gsutil and gcloud?
                            
                                How do I enable Google Cloud Storage on my local development server?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With