I,ve added my service-account successfuly using below command.
gcloud auth activate-service-account --key-file=mycredentialsialreadyhad.json
Now I can't remove or logout from it.
any help would be greatly appreciated.
edit:
i tried this commands and got error
gcloud auth revoke
ERROR: (gcloud.auth.revoke) Cannot revoke GCE-provided credentials.
gcloud config configurations delete default
ERROR: (gcloud.config.configurations.delete) Deleting named configuration failed because configuration [default] is set as active. Use gcloud config configurations activate to change the active configuration.
edit2: this gcloud cli is on GCP ubuntu VM
UPDATE
Use a command with a specified account because you can't revoke the Compute Engine service account(default).
For example:
gcloud auth revoke serviceaccount#testproject.iam.gserviceaccount.com
and run:
gcloud auth list
It should only display the default service account of the Compute Engine:
[PROJECT-NUMBER]-compute#developer.gserviceaccount.com
I may be late to the party on this, but the solution that I found works is:
gcloud config unset auth/impersonate_service_account
Followed by:
gcloud auth login
TLDR; To logout from all accounts
gcloud auth revoke --all
To check active account logins
gcloud auth list
To logout form one account only (take account from command above)
gcloud auth revoke [ACCOUNT]
this error happens when you try to remove a service account that was propagated to the machine during the creation time (docs here).
this service account could not be removed from your machine.
in any other case, the following commands should work (as mentioned in other answers here).
gcloud auth revoke --all
OR
gcloud auth revoke [ACCOUNT]
Use the below syntax to activate the service account. Here we need to mention service account ID.
gcloud auth activate-service-account testpck#xxxxxx.iam.gserviceaccount.com --key-file=xxxxxx.json --project=xxxxxx
Use the below syntax to revoke the service account:
gcloud auth revoke testpck#xxxxx.iam.gserviceaccount.com
Error encountered in your case because the service account ID was not mentioned in gcloud auth revoke command , which is trying to revoke your active google account.
Permissions are denied if you disable the service account instead of revoke. If you revoke the service account then default account will get activated and that might have permission to storage.
In addition to gcloud auth revoke commands mentioned above, I also had to unset the GOOGLE_APPLICATION_CREDENTIALS env variable.
unset GOOGLE_APPLICATION_CREDENTIALS
Related
I'm using gcloud and kubectl to handle my resources (Kubernetes, VM and so on). Everything worked find until I read some article that created a new service account and activate it via cloud. Something like this:
gcloud auth activate-service-account --key-file=path/to/key
The created service account has limited permissions to few resources. When I run commands, like:
kubectl --namespace production get pods
I'm getting back response like:
Error from server (Forbidden): pods is forbidden: User
"SA-USER#PROGECTNAME.iam.gserviceaccount.com"
cannot list resource "pods" in API group "" in the namespace
"production": requires one of ["container.pods.list"] permission(s).
The SA SA-USER#PROGECTNAME.iam.gserviceaccount.com is the service account that I created yesterday. For some reason, it took control on my default permissions and I'm locked out because this user almost has no permissions.
I tried to make the gcloud forget this service account without success. Things I tried:
Uninstall & Install of gcloud and kubectl
Remove the config directory ("~/.config/gcloud/")
gcloud auth login
All those tried was failed. I still getting the same message as above.
How I can make gcloud and kubectl forget this service account?
Thanks!
UPDATE for the new auth plugin:
Some time ago, gke adopted the new auth plugin architecture for kubernetes.
In the new plugin gke-gcloud-auth-plugin, the authentication cache is at
macOS: ~/.kube/gke_gcloud_auth_plugin_cache
(Please edit this answer to include locations in others operation systems.)
You can just delete that file.
There is a problem with the expiration of the authentication token used by kubectl.
When you choose a new user via gcloud and make a kubectl request, an authentication token is cached locally.
A workaround is to edit your ~/.kube/config and set a date in the past for the expiry field on the relevant user section.
You can perform a gcloud auth application-default login
You can also see the current configuration of your gcloud CLI by doing gcloud config list. You can change some default parameter with gcloud config set param_name param_value. For example (because you will use often it if you have several projects)
gcloud config set project MyProjectId
With these, you will be able to solve your issue
Trying to run:
gcloud services enable cloudresourcemanager.googleapis.com —project=$GOOGLE_CLOUD_PROJECT
I get the authorisation error:
Enabling the Cloud Resource Manager API for project xxxxxxxxx... ERROR: (gcloud.services.enable) User [joe.bloggs#googlemail.com] does not have permission to access project [xxxxxxxxx] (or it may not exist): Service '—project=xxxxxxxxx' not found or permission denied.
When I check the GCP policy troubleshooter it says that I have owner role in the project xxxxxxxxx. However you can see in GCP console my email address as joe.bloggs#gmail.com but in my gcloud config its joe.bloggs#googlemail.com. I have tried to change it to gmail.com in gcloud config and googlemail.com in project owner role but don't seem to be able to.
First set basic auth from your terminal:
gcloud auth application-default login
Then set the project like below:
gcloud config set project <put your project id>
Then create a service account with owner setup
gcloud iam service-accounts create sa-name \
--description="sa-description" \
--display-name="sa-display-name"
Here sa-description is an optional description for the service account.
sa-display-name is a friendly name for the service account.
project-id is the ID of your Google Cloud project.
Then add owner policy:
gcloud projects add-iam-policy-binding my-project-123 \
--member serviceAccount:sa-name#project-id.iam.gserviceaccount.com \
--role roles/owner
Then create the service account key:
gcloud iam service-accounts keys create ~/key.json \
--iam-account sa-name#project-id.iam.gserviceaccount.com
Then use this key:
export GCLOUD_APPLICATION_CREDENTIALS="~/key.json"
gcloud auth activate-service-account --key-file \
$GCLOUD_APPLICATION_CREDENTIALS
Then enable:
gcloud services enable cloudresourcemanager.googleapis.com —project=$GOOGLE_CLOUD_PROJECT
I understand there is an error in the gmail account used to login in gcloud, try using the "gcloud auth list" command to verify the account used in gcloud, you can then use the "gcloud auth revoke --all" command to logout from all acocunts in gcloud and after that try "gcloud auth login email#address.com" to relogin using the right account.
If the owner email is wrong in cloud console and you are still able to login with that account, just add another IAM role with the right account as owner in the IAM menu, and then you can delete the misspelled account if necessary
gcloud has a --impersonate-service-account flag
gsutil has a -i flag
But I want to configure impersonation once in my current session and then know that all future commands are using that service account. So what I want is to gcloud activate-service-account some-service-account-to-impersonate WITHOUT a static key. Is this possible? Can gcloud setup impersonation for my current session like this without me having to specify --impersonate-service-account for every command?
Additionally I want to develop locally and run my app locally as a service account using impersonation. If I have the app configured to use implicit creds (google SDK should look for GOOGLE_APPLICATION_CREDENTIALS or use the user's oath creds by default) I'm thinking it would be possible to run gcloud activate-service-account with impersonation then run my app in that same session and it will run with the impersonated account.
EDIT: per comments looks like this is what I want: gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]
I wrote an article that goes into detail on how to setup and use service account impersonation.
Google Cloud – Improving Security with Impersonation
To configure the CLI to use impersonation by default:
gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]
To clear this setting
gcloud config unset auth/impersonate_service_account
I am trying to use the google speech API for converting an audio file to text, but facing some problems with the documentation.I have enabled the speech API and created an service account file. I also got the service account credentials activated. Then I wrote the following command to retrieve the authorization token using my service account.
gcloud auth application-default print-access-token
But it is returning this message
I don't understand why this is happening because I already have an VM instance created in my Compute Engine. Can anybody explain where am I going wrong with this? Also, is there any other way to authenticate my account and call the google speech API?
gcloud credentials and and application default credentials are managed separately. If you activated service account key file this only can be used for gcloud commands but not for application default credentials.
gcloud auth application-default set of commands are there only to manage application default and having nothing to do with commands in gcloud auth.
There a few ways to "activate" application default credentials:
Use your user account
Run gcloud auth application-default login, or
Use service account (preferred)
set environment variable GOOGLE_APPLICATION_CREDENTIALS=path/to/your/service_accont_key_file.json
copy path/to/your/service_accont_key_file.json to ~/.config/gcloud/application_default_credentials.json`
On windows this might be different, run
gcloud info --format="value(config.paths.global_config_dir)"
to get a path to your config directory.
now command like
gcloud auth application-default print-access-token
should work.
As A solution you can Download the GCLOUD console and then RUN this command on console "gcloud auth application-default" login with the gmail account which have the project access and then you will get access of google api which are enabled.
you can generate your key json file on gcloud using this command:
gcloud auth application-default login
google will display a link to confirm, once you do, there will be the json file ina temp folder displayed
In Google Cloud Platform I created a SERVICE ACCOUNT and assigned the OWNER and SERVICE ACCOUNT ACTOR role.
When I run command below
gcloud container clusters get-credentials travis-test --zone us-central1-c --project phantom-zone-00001
it returns error below
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required “container.clusters.get”
permission for “projects/phantom-zone-00001/zones/us-central1-c/clusters/travis-test”.
If I call the command with my own account (instead of SERVICE ACCOUNT) it runs perfectly fine
Would you please put me into the right direction? Thanks in advance.
It looks like issue was related to the part that I didn't revoke it from my local environment when I re-create the account with same name/email.
to revoke
gcloud auth revoke service#project.iam.gserviceaccount.com
to activate
gcloud auth activate-service-account service#project.iam.gserviceaccount.com --key-file "C:\Users\user\Downloads\key.json"
then it won't give that permission error.