Application default credentials – humans versus service accounts
What is your ADC? (More appropriately, WHERE is your ADC)?
Where you store your JSON file (containing the service account credentials) is your Default Location - aka ADC by Google.
Logging in to GCP - humans versus Service accounts
When you use the gcloud auth login
command to provide your user credentials, it passes your human user credentials through to gcp.
The issue is that your human credentials may require to go through either SSO or MFA (or both) - which will block the CLI access. An alternative is to create a service account in the gcp console - and use solely that service account to authenticate to gcp.
You accomplish this by using the --impersonate-service-account
flag or the auth/impersonate_service_account
property to impersonate a service account.
gcloud auth login --impersonate-service-account
=SERVICE_ACCOUNT_EMAILS
Potential downside of using impersonate service account
One drawback is that this access is short lived (60 minutes). you need to keep generating new access tokens each time.
export GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token --impersonate-service-account=<sa-name>.iam.gserviceaccount.com)
cyou need to ke
Leave a Reply