I'm creating a shell script to handle automation for some of our workflows, This workflow include accessing Google Buckets via Apache Beam GCP. I'm using a .json file with my service account, in which situations do i need to use:
gcloud auth activate-service-account --key-file myfile.json
vs
export GOOGLE_APPLICATION_CREDENTIALS=myfile.json
Because the private key lets you authenticate as the service account, having access to the private key is similar to knowing a user's password. The private key is known as a service account key. The key pairs used by service accounts fall into two categories, Google-managed and user-managed.
Your credentials are stored at ~/. config/gcloud . Credentials are stored in two files: access_tokens. db and credentials.
With a user account, you can authenticate to Google APIs and services in the following ways: Use the gcloud CLI to set up Application Default Credentials (ADC). Use the gcloud CLI to generate access tokens. Use your user credentials to impersonate a service account.
Depends what you're doing:
Interfacing with a Google Cloud service using one of their third-party SDK libraries (e.g. Go, Python)? Use the GOOGLE_APPLICATION_CREDENTIALS
environment variable.
Making calls to a Google-provided tool, such as gcloud
or gsutil
? Use the tool's provided mechanism for authenticating with the remote service. For gcloud
, this is the gcloud auth activate-service-account
command.
The GOOGLE_APPLICATION_CREDENTIALS
environment variable provides a mechanism for user-written applications using a Google Cloud SDK to easily import credentials if they are not otherwise accessible in their environment. These credentials are loaded according to the order of precedence defined in the ADC docs.
Other applications provided by Google have their own well-established mechanisms for importing credentials to authenticate to Google. This mechanism should be used where these applications are used. For common tools:
gcloud
: use gcloud auth activate-service-account
. Be aware that this may litter your disk with authentication credentials which persist, so for security reasons you may wish to configure the environment to ensure these are erased after use.gsutil
: if running standalone, use gsutil config -e
to set up the service account. However, most installations will sit alongside the gcloud
tool from the Google Cloud SDK, so should use the approach described above for gcloud
.If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With