Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Difference between gcloud auth activate-service-account --key-file and GOOGLE_APPLICATION_CREDENTIALS

Tags:

google-cloud-platform

google-cloud-storage

apache-beam

I'm creating a shell script to handle automation for some of our workflows, This workflow include accessing Google Buckets via Apache Beam GCP. I'm using a .json file with my service account, in which situations do i need to use:

 gcloud auth activate-service-account --key-file myfile.json

vs

export GOOGLE_APPLICATION_CREDENTIALS=myfile.json
like image 916
gogasca Avatar asked Sep 17 '18 22:09

gogasca

People also ask

What is a Google service account key?

Because the private key lets you authenticate as the service account, having access to the private key is similar to knowing a user's password. The private key is known as a service account key. The key pairs used by service accounts fall into two categories, Google-managed and user-managed.

Where are gcloud auth credentials stored?

Your credentials are stored at ~/. config/gcloud . Credentials are stored in two files: access_tokens. db and credentials.

What are the different methods for the authentication of Google Compute Engine API?

With a user account, you can authenticate to Google APIs and services in the following ways: Use the gcloud CLI to set up Application Default Credentials (ADC). Use the gcloud CLI to generate access tokens. Use your user credentials to impersonate a service account.

1 Answers

Depends what you're doing:

  • Interfacing with a Google Cloud service using one of their third-party SDK libraries (e.g. Go, Python)? Use the GOOGLE_APPLICATION_CREDENTIALS environment variable.

  • Making calls to a Google-provided tool, such as gcloud or gsutil? Use the tool's provided mechanism for authenticating with the remote service. For gcloud, this is the gcloud auth activate-service-account command.

The GOOGLE_APPLICATION_CREDENTIALS environment variable provides a mechanism for user-written applications using a Google Cloud SDK to easily import credentials if they are not otherwise accessible in their environment. These credentials are loaded according to the order of precedence defined in the ADC docs.

Other applications provided by Google have their own well-established mechanisms for importing credentials to authenticate to Google. This mechanism should be used where these applications are used. For common tools:

  • gcloud: use gcloud auth activate-service-account. Be aware that this may litter your disk with authentication credentials which persist, so for security reasons you may wish to configure the environment to ensure these are erased after use.
  • gsutil: if running standalone, use gsutil config -e to set up the service account. However, most installations will sit alongside the gcloud tool from the Google Cloud SDK, so should use the approach described above for gcloud.
like image 65
Cosmic Ossifrage Avatar answered Sep 19 '22 22:09

Cosmic Ossifrage
Sign in to Comment

Related questions

FreeBSD on Google Compute Engine
Long lived state with Google Dataflow
How do I 'git push' from a local machine to a Google Cloud Platform instance?
Error when creating indexes for flexible Cloud Datastore: Unexpected attribute 'indexes' for object of type AppInfoExternal
How to ship logs from pods on Kubernetes running on top of GCP to elasticsearch/logstash?
gcloud "config set project" works but can't fetch project?
Google Cloud How to reduce disk size?
Container in GKE can't ping compute instance on the same network
What's the minimal permissions I need to configure for a GKE node pool to pull from a private GCR repo in the same project?
how do I add a firewall rule to a gke service?
App Engine and Firebase Hosting in One Domain
Service Account for Google Maps API
How to type special symbol on Cloud Shell with Mac EU keyboard?
long-running job on GCP cloud run
Google Translate API authentication key and usage
Is it possible to use Google App Engine with Google Cloud VPN?
Why do Google Cloud Platform static IP addresses list Mountain View, CA in reverse lookup regardless of region assignment?
Data Normalization with tensorflow tf-transform
Setting up staging environment with Google App Engine
How to remove myself from a Firebase project

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!