Get service account auth token without gcloud?

Asked 1/11, 2017 at 17:0 Answered 5/7, 2021 at 8:41

Is it possible to get an authorization bearer token for a Google Cloud service account without the use of gcloud?

That is, I would like to make an HTTP request (presumably signed in some way by my JSON key file) that would provide me the equivalent of

gcloud auth application-default print-access-token

This request would be made on my own server, where I may not wish to install gcloud and where I do not have access to any internal server metadata that might provide this (e.g., as is the case with Compute Engine).

Is there some oauth endpoint that provides something like this?

Alternately, is there some way to generate long-lived tokens with gcloud?

I'm new to the Google Cloud ecosystem, so excuse my ignorance and terminology...

Eppie answered 1/11, 2017 at 17:0 Comment(0)

I think that this is exactly what you are looking for:

https://developers.google.com/identity/protocols/OAuth2#serviceaccount

Honestly I don't think that what you were trying to achieve was correct, running

gcloud auth application-default print-access-token

you get a token that is not intended to do what you were looking for:

"This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials."

This should guide you a bit more in the implementation of this solution: https://developers.google.com/identity/protocols/OAuth2ServiceAccount

Rhizo answered 2/11, 2017 at 11:3 Comment(3)

Thanks, I think that's exactly what I need! All of the examples/tutorials I was looking at for Cloud APIs just used the gcloud auth mechanism... – Eppie 2/11, 2017 at 14:3

I am having similar problems @JacobBrown . Could you solve the issue and provide me some code? I am completely new to this and trying to connect a chrome extension to my google cloud ml model. I should do a CURL request that looks like this: $ curl -X POST \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json" \ automl.googleapis.com/v1/projects/1243/locations/us-central1/… \ -d request.json – Sedan 20/1, 2020 at 11:8

Be aware this only lasts for 1 hour. – Cespitose 14/12, 2023 at 15:51

If your code runs on a GCE VM and you don't mind using that VMs service-account, then There is no need for a library or an api. You can obtain an access token using curl:

curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token

It is useful if you need it in a shell script.

Megilp answered 16/4, 2019 at 9:5 Comment(2)

This is a useful snippet. You need to provide a little context though - this will only work from a GCE VM and will use that VMs service-account. I suspect confusion about that is why this is getting downvoted. I'd also note that you are using an API - the instance metadata API: cloud.google.com/appengine/docs/standard/java/… – Intoxicate 16/6, 2020 at 12:53

This was my first life saver of today. Here is my second life saver if you're using Cloud Build: https://mcmap.net/q/450481/-application-default-credentials-in-google-cloud-build – Handrail 1/3, 2022 at 1:19

Here's what it looks like in golang:

import(
    "google.golang.org/api/compute/v1"
    "google.golang.org/api/container/v1"
    "google.golang.org/api/iterator"
    "google.golang.org/api/option"
    "google.golang.org/api/transport"
)
ctx := context.Background()
creds, err := transport.Creds(ctx, option.WithScopes(compute.CloudPlatformScope))
token, err := creds.TokenSource.Token()

Pro answered 8/10, 2019 at 19:44 Comment(0)

For your second question, “is there some way to generate long-lived tokens with gcloud?”, no there is not. However, you can use a refresh token to generate new access tokens. Check the first answer for this question:

OAuth2 and Google API: Access token expiration time?

And also, here’s an example of a python library that you can use as an authentication mechanism:

https://github.com/GoogleCloudPlatform/google-auth-library-python/blob/master/google/oauth2/credentials.py

Bluejacket answered 2/11, 2017 at 13:55 Comment(1)

Thanks for the links! – Eppie 2/11, 2017 at 14:3

I think this is what you need:

https://github.com/googleapis/google-auth-library-java#explicit-credential-loading

Explicit Credential Loading To get Credentials from a Service Account JSON key use GoogleCredentials.fromStream(InputStream) or GoogleCredentials.fromStream(InputStream, HttpTransportFactory). Note that the credentials must be refreshed before the access token is available.

GoogleCredentials credentials = GoogleCredentials.fromStream(new FileInputStream("/path/to/credentials.json"));
credentials.refreshIfExpired();
AccessToken token = credentials.getAccessToken();
// OR
AccessToken token = credentials.refreshAccessToken();

Goldin answered 5/7, 2021 at 8:41 Comment(0)

Recommended topics

Hot tags