Client fails for reauth, while gsutil works fine

[hixus]

Environment details

1. Specify the API at the beginning of the title (for example, "BigQuery: ...")
   General, Core, and Other are also allowed as types
2. OS X highsierra
3. Python version and virtual environment information: Python 3.6.9
4. google-cloud- version: google-cloud-storage = 1.24.1

Steps to reproduce

Trying to use could-storage python package with user-credentials but it fails asking "'invalid_grant: reauth related error (rapt_required)'". Reauth does not help. However if I try it with gsutil in the same shell everything works.

Our company policy changed couple months ago so gcloud asks lot more often reauthentication.

Code example

client = storage.Client(project="prod-xxx")
bucket = client.get_bucket("model-data-prod-xxx")

Stack trace

File "/Users/xxx/Library/Caches/pypoetry/virtualenvs/model-pitkaveto-abtfw7oX-py3.6/lib/python3.6/site-packages/google/oauth2/_client.py", line 60, in _handle_error_response
    raise exceptions.RefreshError(error_details, response_body)
google.auth.exceptions.RefreshError: ('invalid_grant: reauth related error (rapt_required)', '{\n  "error": "invalid_grant",\n  "error_description": "reauth related error (rapt_required)",\n  "error_subtype": "rapt_required"\n}')
(model-xxx-abtfw7oX-py3.6) [xxx@mbp ~/projects/model_xxx/model_xxx (trainer *)]

Making sure to follow these steps will guarantee the quickest resolution possible.

Thanks!

[jeliashi]

are there any updates on this? I experience the same error...

[zachahuy02]

I am getting the same error and was able to remove this error when disable https://support.google.com/a/answer/9368756?hl=en. Re-enable causes the same error.

It looks like this happening in the python oauth2 sdk.

[emanuelem]

Hi @hixus ,

gsutil uses google-reauth-python library as you can see here.

There isn't much documentation out there on how to use that library, but you can try studying how it was implemented in gsutil here.

[trickster]

Hi,

gsutil asks for re-authentication, and asks for password. Our accounts are SSO enabled, so there is no password. How to proceed with this?

For now, we use a service account gcloud auth activate-service-account --key-file=/creds.json to bypass this issue. Also we cannot use this for user auth enabled applications

gcloud init does not work either, it says Re authentication needed.

[andrewsg]

@sivakon Can I confirm that you are also under the "Session Length for Google Cloud Services" organization policy as per this page: https://support.google.com/a/answer/9368756?hl=en ?

[trickster]

@andrewsg Upon talking with the support team, I found out that they implemented new security policy that restricts user auth session length https://support.google.com/a/answer/9368756?hl=en

[tseaver]

I believe this is actually an issue for the google-auth-python repository, likely already identified in googleapis/google-auth-library-python#261.

[andrewsg]

We're making progress on this in the auth side and should have a timeline soon.

[tseaver]

googleapis/google-auth-library-python#727 added reauth support to the synchronous version of user credentials. It was released in [google-auth 1.29.0]](https://github.com/googleapis/google-auth-library-python/releases/tag/v1.29.0).

googleapis/google-auth-library-python#738 are now supported in added reauth support to the asynchronous version of user credentials. It was released in `google.auth 1.30.0. Note that the async version of the feature is marked as "internal ... for gcloud developers only" in the release notes.