How to use GOOGLE_APPLICATION_CREDENTIALS with gcloud on a server?

Question

What is the simplest way to use the gcloud command line non-interactively with a Service Account outside of GCE? Preferably without littering the file system with credentials files, which is what gcloud auth activate-service-account --key-file=... does.

There are many use cases for using gcloud with a service account. For example, on a server, I would like to test that the GOOGLE_APPLICATION_CREDENTIALS is correctly set and has the required permissions before running my application. Or, I would like to run some setup scripts or cron scripts that perform some check with the gcloud command line.

Google Cloud libraries (e.g. python, java) automatically use the environment variable GOOGLE_APPLICATION_CREDENTIALS to authenticate to Google Cloud. But unfortunately, this command line seems to have no effect on gcloud. What is a clean way to use gcloud while leaving the filesystem intact?

$ GOOGLE_APPLICATION_CREDENTIALS=/etc/my-service-account-4b4b6e63aaed.json gcloud alpha pubsub topics publish testtopic hello ERROR: (gcloud.alpha.pubsub.topics.publish) You do not currently have an active account selected. Please run: $ gcloud auth login to obtain new credentials, or if you have already logged in with a different account: $ gcloud config set account ACCOUNT to select an already authenticated account to use. 

Answer 1

gcloud generally does not use GOOGLE_APPLICATION_CREDENTIALS environment variable. It only has some commands to facilitate setting up these application default credentials in gcloud auth application-default [login|revoke|print-access-token...].

By default gcloud stores its configuration in ${HOME}/.config/gcloud. It is possible to override that location by setting CLOUDSDK_CONFIG environment variable.

Also it is possible (though more tedious) to override most setting so that they do not need to be preconfigured via gcloud config set ... and/or gcloud auth activate-service-account. For each setting one can specify environment variable.

For example the equivalent command you tried to use service account key file would be:

$ CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/etc/my-service-account-4b4b6e63aaed.json \ gcloud alpha pubsub topics publish testtopic hello 

Note that this will still cache credentials in CLOUDSDK_CONFIG since it needs to cache access-token, so that it wont have to refresh it on each invocation.

For your use case best option in my view would be

1. Set CLOUDSDK_CONFIG to some temp directory
2. gcloud auth activate-service-account --key-file=...
3. ... use gcloud to do your work ...
4. Remove temp CLOUDSDK_CONFIG directory.

Answer 2

1) Create a ServiceAccount in GCP IAM. Check the box to "Furnish a new private key", and select JSON as the file type.

2) Download the JSON file to your server, and type: gcloud auth activate-service-account --key-file serviceaccount.json

3) Verify credentials were applied by running gcloud auth list.

Answer 3

if you already have the env-var and json key, just run:

gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS 

this will activate the service account for gcloud/gsutil

Answer 4

Have you look at the --account option? Like

$gcloud --account="foo" ... 

(Reference)

Regarding "Preferably without littering the file system with credentials files", I am not sure if it possible to achieve.