Some gcloud commands return UNAUTHENTICATED error

Question

I'm working on a project that is hosted on Google Cloud Platform, and I'm trying to get used to their gcloud cli. One thing that I really don't understand is its authentication scheme.

As an example, if I run gcloud config configurations list, I get a list of all my configurations:

PS C:\Users\username\dev\project-library> gcloud config configurations list
NAME                     IS_ACTIVE  ACCOUNT         PROJECT                  COMPUTE_DEFAULT_ZONE  COMPUTE_DEFAULT_REGION
default                  True       [email protected]  project-dev-gcp
project-dev-local        False                           project-dev-gcp

Similarly, if I run gcloud auth list, it shows me the account that I am authenticated with:

PS C:\Users\username\dev\project-library> gcloud auth list
           Credentialed Accounts
ACTIVE             ACCOUNT
*                  [email protected]

To set the active account, run:
    $ gcloud config set account `ACCOUNT`

But if I try to run gcloud projects list, I don't get a list of my GCP projects. Instead, I see an error that suggests that I am not authenticated:

PS C:\Users\username\dev\project-library> gcloud projects list
ERROR: (gcloud.projects.list) UNAUTHENTICATED: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

Ok, so what if I try to authenticate with gcloud auth application-default login?

PS C:\Users\username\dev\project-library> gcloud auth application-default login
Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=xxxx

Credentials saved to file: [C:\Users\username\AppData\Roaming\gcloud\application_default_credentials.json]

These credentials will be used by any library that requests Application Default Credentials (ADC).
ERROR: (gcloud.auth.application-default.login) UNAUTHENTICATED: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

There's that UNAUTHENTICATED error again, despite the fact that my browser opened to the login page, I chose my Google account, and then granted access to the Google Auth Library when prompted to.

The weird thing is that I actually have an access token:

PS C:\Users\username\dev\project-library> gcloud auth print-access-token
ya29.a0AfH6SMCGhGKSd39hJxfCBBNIDPGvpGjjskAKNDyH24C9TU0tG8P-FH_YL3OBJOZiqFXD4hKbVGCSNpfuwqOhB2p7uaBI_PtMuQO_Ip2fiMYHbHeLzyKKrnthFV4MqCNM_P80uQrTFy9LvvFm-kpcYFFFmh4Sam2Uoq3wsPW8m9febwFX2-4

Ultimately, what I'd like to do is get the kubernetes configuration so that I can interact with the cluster using kubectl, but of course gcloud container clusters get-credentials tells me that I'm not authenticated:

PS C:\Users\username\dev\project-library> gcloud container clusters get-credentials project-dev --region us-east4 --project project-dev-gcp
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=401, message=Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

So what gives? How come I can't seem to do anything with gcloud? What causes the UNAUTHENTICATED error, and how do I fix it?

I am very familiar with the aws cli authentication scheme, but I'm having a hard time wrapping my head around the way that gcloud does things. Even though the cli isn't working, I seem to have full console access, and I know that this stuff did work at one point because I have accessed the kubernetes cluster logs using k9s in the past.

Answer 1

Figured out the problem. It seems my [default] profile at C:\Users\username\AppData\Roaming\gcloud\configurations\config_default contained some bad config values that were causing the issue:

[core]
account = [email protected]
project = project-dev-gcp

[compute]

[auth]
disable_credentials = true

[spanner]
instance = project-local

[api_endpoint_overrides]
spanner = http://localhost:9020/

The unauthenticated problem in OP was caused by disable_credentials = true, and the contents of the [api_endpoint_overrides] section would have caused similar problems if I were trying to interact with Google Cloud Spanner via the CLI.

Now, this profile does make sense in some contexts. We keep another gcloud configuration for local testing, and in that case, we actually do want to disable auth and point calls to Cloud Spanner at an emulator running in a docker container. Obviously, this should not be the case in the [default] profile that is used to talk to real GCP.

The solution was to remove the offending config from that file so that it looks like:

[core]
account = [email protected]
project = project-dev-gcp