Get service account auth token without gcloud?

Question

Is it possible to get an authorization bearer token for a Google Cloud service account without the use of gcloud?

That is, I would like to make an HTTP request (presumably signed in some way by my JSON key file) that would provide me the equivalent of

gcloud auth application-default print-access-token 

This request would be made on my own server, where I may not wish to install gcloud and where I do not have access to any internal server metadata that might provide this (e.g., as is the case with Compute Engine).

Is there some oauth endpoint that provides something like this?

Alternately, is there some way to generate long-lived tokens with gcloud?

I'm new to the Google Cloud ecosystem, so excuse my ignorance and terminology...

Answer 1

I think that this is exactly what you are looking for:

https://developers.google.com/identity/protocols/OAuth2#serviceaccount

Honestly I don't think that what you were trying to achieve was correct, running

gcloud auth application-default print-access-token 

you get a token that is not intended to do what you were looking for:

"This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials."

This should guide you a bit more in the implementation of this solution: https://developers.google.com/identity/protocols/OAuth2ServiceAccount

Answer 2

Here's what it looks like in golang:

import(     "google.golang.org/api/compute/v1"     "google.golang.org/api/container/v1"     "google.golang.org/api/iterator"     "google.golang.org/api/option"     "google.golang.org/api/transport" ) ctx := context.Background() creds, err := transport.Creds(ctx, option.WithScopes(compute.CloudPlatformScope)) token, err := creds.TokenSource.Token()