google-auth-library-python icon indicating copy to clipboard operation
google-auth-library-python copied to clipboard

Published 20 hours ago verified publisher icon googleapis

Support for CLOUDSDK_AUTH_ACCESS_TOKEN environment variable

Open jceresini opened this issue 3 years ago • 6 comments

Thanks for stopping by to let us know something could be better!

PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.

Is your feature request related to a problem? Please describe.

We use vault to hand out tokens for GCP access.

Newer versions of gcloud support setting the environment variable CLOUDSDK_AUTH_ACCESS_TOKEN to our temporary token (see https://cloud.google.com/sdk/docs/authorizing).

We do something similar with terraform via the GOOGLE_OAUTH_ACCESS_TOKEN environment variable. (see: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)

We'd like to be able to do something similar with our python applications without having to modify them to do anything other than call a single function to get credentials (google.auth.default()). That would allow us to run them locally with our own service account credentials or gcp users, within GCP services such as compute or appengine, and also in our CI jobs that use the tokens, without modification.

Describe alternatives you've considered

Currently we have to build our own credentials object via google.oauth2.credentials.Credentials. Here's a simplified example. The issue is we have to either put this logic in many of our apps, or build our own library to include in our apps:

from google.oauth2.credentials import Credentials
import google.auth


def auth():

    access_token = os.environ.get("GOOGLE_ACCESS_TOKEN")

    if access_token:
        creds = Credentials(os.environ.get("GOOGLE_ACCESS_TOKEN"))
    else:
        creds, _ = google.auth.default()

    return creds

jceresini avatar Oct 14 '22 15:10 jceresini

Thanks for the report @jceresini. We will discuss this as a team.

clundin25 avatar Oct 14 '22 22:10 clundin25

Looks like this has been on our radar. I'll post more updates to this issue as we make progress on supporting this.

Thanks!

clundin25 avatar Oct 14 '22 22:10 clundin25

Thank you for all your work on this library!!!

Note that CLOUDSDK_AUTH_ACCESS_TOKEN is available, but there is also the configuration option of gcloud called auth/access_token_file (gcloud config set auth/access_token_file <...>). I'm not sure if its in scope for this library to respect the environment variable and/or the gcloud config configuration as well, but the more things in parity with gcloud the better for me as a user.

For reference

consideRatio avatar Jan 28 '23 21:01 consideRatio

The proposed change would make it much easier to work with containerized applications in development environments. Currently, there is no easy way to pass GCP credentials to a containerized application, without code changes.

Including the CLOUDSDK_AUTH_ACCESS_TOKEN check in the chain of possible authentication sources in the google.auth.default() function would make things much easier.

jacek-jablonski avatar Jun 06 '23 15:06 jacek-jablonski

@clundin25 any chance of getting this one on the roadmap?

adrianloy avatar Mar 21 '24 15:03 adrianloy