Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to service account json key authentication #507

Open
ilyavaiser opened this issue Mar 16, 2018 · 11 comments
Open

Add support to service account json key authentication #507

ilyavaiser opened this issue Mar 16, 2018 · 11 comments

Comments

@ilyavaiser
Copy link

By analogy with the gcloud utility, it's very lacking
@houglum
Copy link
Collaborator

houglum commented Mar 20, 2018

Gsutil offers service account authorization. gsutil config -e will prompt for the private key file containing your service account credentials. Were you inquiring about some other form of service account auth?

@ilyavaiser
Copy link
Author

ilyavaiser commented Mar 20, 2018
edited

This is unsuitable for use in scripts. When I have a file with a key. And can not use promt. The gcloud utility allows to use non-interactive authorization via a key file

@houglum
Copy link
Collaborator

houglum commented Mar 20, 2018

A couple of potential workarounds:

  • If you're able to use a gcloud installation of gsutil, it should take care of the service account auth for you (creating a boto file on your behalf, behind the scenes, that points to this keyfile).
  • If you're using a standalone installation of gsutil, you can create your boto file beforehand. If you're running the scripts on remote VMs, you can copy both the boto file and the key file to the VM. (This is the approach I generally use.)

@ilyavaiser
Copy link
Author

I do not need workarounds. I want gsutil to work as well as gcloud with service account authorization. This will greatly facilitate the tasks of automation.

@houglum
Copy link
Collaborator

houglum commented Mar 22, 2018

We purposely make the gsutil config process interactive because of all the edge cases, the main one being that different information is necessary to create the config file depending on whether you specify a JSON or P12 keyfile. Once you have a valid config file, you can alter it and package it (alongside the keyfile you're already packaging) for use with automated scripts. And if you want to use gcloud's credential management system with gsutil, that's easily achievable by installing and configuring gcloud.

I'd argue that it's just as easy to run a gsutil config command as it is to construct a short boto file like this:

[Credentials]
gs_service_key_file = /path/to/keyfile.json

[GSUtil]
default_project_id = id-for-my-project

or to do what gcloud does under the hood for most config options -- passing them as arguments to gsutil on the command line; this has the benefit of not fiddling with creating files:

gsutil -o "Credentials:gs_service_key_file=/path/to/keyfile.json" \
    -o "default_project_id=id-for-my-project" \
    <rest of command>

@ilyavaiser
Copy link
Author

This is a great feature, I know about it. But this is inconvenient. Why do I need another file when I want to unify with the gcloud utility?

Just add the ability to specify the key.json file as a parameter, without additional files. This will make life easier for many.

@ilyavaiser
Copy link
Author

And it would be nice to point this case to the documentation with a concrete example. Thank you!

@mloughran
Copy link

A concrete example where this causes issues: I am using the gs_service_key_file workaround mentioned above, used within some wrapper scripts. However if a user has also configured a default user account via gcloud auth application-default login, the command will fail with this rather unhelpful error:

$ gsutil -o "Credentials:gs_service_key_file=/path/to/keyfile.json" rsync ...
Caught non-retryable exception while listing gs://<snip>/: CommandException: \
You have multiple types of configured credentials ([u'Oauth 2.0 User Account', u'OAuth 2.0 \
Service Account']), which is not supported. One common way this happens is if you run gsutil \
config to create credentials and later run gcloud auth, and create a second set of credentials. Your \
boto config path is: ['<snip>']. For more help, see "gsutil help creds".
CommandException: Caught non-retryable exception - aborting rsync

I would also argue that an --auth command line flag would be much simpler. Thanks.

@NikkyAI
Copy link

NikkyAI commented Nov 11, 2020

the mentioned workaround does not seem to work anymore
without any error message or debug log, it just prints the help message and stops

@AndrewJDR
Copy link

Just to bring up another reason it would be handy to have a well-supported way to do this in scripts:
I have a script that fires off many separate gsutil command executions, and each time it may use one of many different service accounts. Simply being able to specify a different service account json to the gsutil command is really the easiest way to deal with this. I'm not even sure how to do it with a boto file, since there's frequent swapping between many service accounts on these different gsutil executions, as mentioned.

The Credentials:gs_service_key_file workaround is working for now, but I'm on an older version of gsutil. It's concerning that it may stop working when I upgrade, as @NikkyAI mentioned above it no longer works :(

@SabyasachiNayak
Copy link

@NikkyAI @AndrewJDR I got the same error but after adding GSUtil to default_project_id it worked for me.
Here is the command:-

gsutil -o "Credentials:gs_service_key_file=/path/to/keyfile.json"
-o "GSUtil:default_project_id=id-for-my-project"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mloughran @ilyavaiser @AndrewJDR @SabyasachiNayak @NikkyAI @houglum