Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for CLOUDSDK_AUTH_ACCESS_TOKEN environment variable #1165

Open
jceresini opened this issue Oct 14, 2022 · 5 comments · May be fixed by #1467
Open

Support for CLOUDSDK_AUTH_ACCESS_TOKEN environment variable #1165

jceresini opened this issue Oct 14, 2022 · 5 comments · May be fixed by #1467
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@jceresini
Copy link

Thanks for stopping by to let us know something could be better!

PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.

Is your feature request related to a problem? Please describe.

We use vault to hand out tokens for GCP access.

Newer versions of gcloud support setting the environment variable CLOUDSDK_AUTH_ACCESS_TOKEN to our temporary token (see https://cloud.google.com/sdk/docs/authorizing).

We do something similar with terraform via the GOOGLE_OAUTH_ACCESS_TOKEN environment variable. (see: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)

We'd like to be able to do something similar with our python applications without having to modify them to do anything other than call a single function to get credentials (google.auth.default()). That would allow us to run them locally with our own service account credentials or gcp users, within GCP services such as compute or appengine, and also in our CI jobs that use the tokens, without modification.

Describe alternatives you've considered

Currently we have to build our own credentials object via google.oauth2.credentials.Credentials. Here's a simplified example. The issue is we have to either put this logic in many of our apps, or build our own library to include in our apps:

from google.oauth2.credentials import Credentials
import google.auth


def auth():

    access_token = os.environ.get("GOOGLE_ACCESS_TOKEN")

    if access_token:
        creds = Credentials(os.environ.get("GOOGLE_ACCESS_TOKEN"))
    else:
        creds, _ = google.auth.default()

    return creds
@clundin25
Copy link
Contributor

Thanks for the report @jceresini. We will discuss this as a team.

@clundin25
Copy link
Contributor

Looks like this has been on our radar. I'll post more updates to this issue as we make progress on supporting this.

Thanks!

@clundin25 clundin25 added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Nov 7, 2022
@consideRatio
Copy link

consideRatio commented Jan 28, 2023
edited
Loading

Thank you for all your work on this library!!!

Note that CLOUDSDK_AUTH_ACCESS_TOKEN is available, but there is also the configuration option of gcloud called auth/access_token_file (gcloud config set auth/access_token_file <...>). I'm not sure if its in scope for this library to respect the environment variable and/or the gcloud config configuration as well, but the more things in parity with gcloud the better for me as a user.

For reference

@consideRatio consideRatio mentioned this issue Jan 28, 2023
Open
@jacek-jablonski
Copy link

The proposed change would make it much easier to work with containerized applications in development environments. Currently, there is no easy way to pass GCP credentials to a containerized application, without code changes.

Including the CLOUDSDK_AUTH_ACCESS_TOKEN check in the chain of possible authentication sources in the google.auth.default() function would make things much easier.

@sbakiu sbakiu mentioned this issue Aug 21, 2023
Open
@AmitChotaliya AmitChotaliya linked a pull request Feb 6, 2024 that will close this issue
Open
@adrianloy
Copy link

@clundin25 any chance of getting this one on the roadmap?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
5 participants
@jceresini @consideRatio @adrianloy @jacek-jablonski @clundin25