gcloud crashed (TokenRevokeError): invalid_request - google-cloud-platform

I'm currently experiencing inconsistency when trying to revoke my gcloud credentials after I'm done using my service account.
gcloud auth activate-service-account --key-file=mykey.json
{commands...}
gcloud auth revoke
At times the revoke command does work, but sometimes it (randomly?) fails with this error:
ERROR: gcloud crashed (TokenRevokeError): invalid_request
If you would like to report this issue, please run the following
command: gcloud feedback
To check gcloud for common problems, please run the following command:
gcloud info --run-diagnostics
When this happens, I can see that running gcloud auth list afterwards still lists the account, though it isn't marked as active.
While after a successful revoke, the account is not listed at all (makes sense, as it has been revoked and removed).
Did anybody experience this issue?

You should upgrade to the latest version of gcloud per #john-hanley's suggestion.
Please see the documentation for gcloud auth revoke.
It is not possible to revoke service account tokens.
The message you're receiving is unhelpful (although accurate, it is an invalid request) but you should not see the credentials listed after issuing the command and this may be addressed by upgrading.

Related

gcloud auth login does not update/identify my active account correctly for git usage

I have been trying to log with a new corporate account in order to push some code in gcp Cloud Repository. Despite all my attempts at logging in with the new user, somehow when I issue git push it still tells me
ERROR: Your current active account [old_email#domain.com] does not have any valid credentials
Please run:
$ gcloud auth login
to obtain new credentials.
For service account, please activate it first:
$ gcloud auth activate-service-account ACCOUNT
Run 'gcloud auth login' to log in.
Username for 'https://source.developers.google.com':
When I run gcloud auth list only the new corporate email <new_corporate_email>#domain.com is displayed.
Here are the steps I took
gcloud auth login
gcloud auth login --no-launch-browser
gcloud auth application-default login
gcloud config set account <new_corporate_email>#domain.com
git config --global user.email "<new_corporate_email>#domain.com"
Where is the current active account stored and how do I refresh its value? Could this be strictly a git issue?
I suspected it was a problem with git and its relationship with gcloud since I am using Google Cloud Source Repositories.
What I did was not solve this solution perse, but I offer you a workaround in case you get the same error. Here are the steps I applied to "fix" it:
I made sure I was logged with the right account on gcloud
I made sure that account had the right IAM rights within the GCP
project
I backed up my source repo (thankfully, only these few last changes
were missing from my remote repo)
I deleted the original local source code repo and recloned it using
gcloud
I took the changes from my backup folder via rsync
I tested a commit & push and it worked

gcloud auth activate-service-account logout / revoke / remove / unset

I,ve added my service-account successfuly using below command.
gcloud auth activate-service-account --key-file=mycredentialsialreadyhad.json
Now I can't remove or logout from it.
any help would be greatly appreciated.
edit:
i tried this commands and got error
gcloud auth revoke
ERROR: (gcloud.auth.revoke) Cannot revoke GCE-provided credentials.
gcloud config configurations delete default
ERROR: (gcloud.config.configurations.delete) Deleting named configuration failed because configuration [default] is set as active. Use gcloud config configurations activate to change the active configuration.
edit2: this gcloud cli is on GCP ubuntu VM
UPDATE
Use a command with a specified account because you can't revoke the Compute Engine service account(default).
For example:
gcloud auth revoke serviceaccount#testproject.iam.gserviceaccount.com
and run:
gcloud auth list
It should only display the default service account of the Compute Engine:
[PROJECT-NUMBER]-compute#developer.gserviceaccount.com
I may be late to the party on this, but the solution that I found works is:
gcloud config unset auth/impersonate_service_account
Followed by:
gcloud auth login
TLDR; To logout from all accounts
gcloud auth revoke --all
To check active account logins
gcloud auth list
To logout form one account only (take account from command above)
gcloud auth revoke [ACCOUNT]
this error happens when you try to remove a service account that was propagated to the machine during the creation time (docs here).
this service account could not be removed from your machine.
in any other case, the following commands should work (as mentioned in other answers here).
gcloud auth revoke --all
OR
gcloud auth revoke [ACCOUNT]
Use the below syntax to activate the service account. Here we need to mention service account ID.
gcloud auth activate-service-account testpck#xxxxxx.iam.gserviceaccount.com --key-file=xxxxxx.json --project=xxxxxx
Use the below syntax to revoke the service account:
gcloud auth revoke testpck#xxxxx.iam.gserviceaccount.com
Error encountered in your case because the service account ID was not mentioned in gcloud auth revoke command , which is trying to revoke your active google account.
Permissions are denied if you disable the service account instead of revoke. If you revoke the service account then default account will get activated and that might have permission to storage.
In addition to gcloud auth revoke commands mentioned above, I also had to unset the GOOGLE_APPLICATION_CREDENTIALS env variable.
unset GOOGLE_APPLICATION_CREDENTIALS

gcloud \ kubectl authentication problem: forget service account

I'm using gcloud and kubectl to handle my resources (Kubernetes, VM and so on). Everything worked find until I read some article that created a new service account and activate it via cloud. Something like this:
gcloud auth activate-service-account --key-file=path/to/key
The created service account has limited permissions to few resources. When I run commands, like:
kubectl --namespace production get pods
I'm getting back response like:
Error from server (Forbidden): pods is forbidden: User
"SA-USER#PROGECTNAME.iam.gserviceaccount.com"
cannot list resource "pods" in API group "" in the namespace
"production": requires one of ["container.pods.list"] permission(s).
The SA SA-USER#PROGECTNAME.iam.gserviceaccount.com is the service account that I created yesterday. For some reason, it took control on my default permissions and I'm locked out because this user almost has no permissions.
I tried to make the gcloud forget this service account without success. Things I tried:
Uninstall & Install of gcloud and kubectl
Remove the config directory ("~/.config/gcloud/")
gcloud auth login
All those tried was failed. I still getting the same message as above.
How I can make gcloud and kubectl forget this service account?
Thanks!
UPDATE for the new auth plugin:
Some time ago, gke adopted the new auth plugin architecture for kubernetes.
In the new plugin gke-gcloud-auth-plugin, the authentication cache is at
macOS: ~/.kube/gke_gcloud_auth_plugin_cache
(Please edit this answer to include locations in others operation systems.)
You can just delete that file.
There is a problem with the expiration of the authentication token used by kubectl.
When you choose a new user via gcloud and make a kubectl request, an authentication token is cached locally.
A workaround is to edit your ~/.kube/config and set a date in the past for the expiry field on the relevant user section.
You can perform a gcloud auth application-default login
You can also see the current configuration of your gcloud CLI by doing gcloud config list. You can change some default parameter with gcloud config set param_name param_value. For example (because you will use often it if you have several projects)
gcloud config set project MyProjectId
With these, you will be able to solve your issue

getting get-credentials requires edit permission error on gcp

I'm trying to setup credentials for kubernetes on my local.
gcloud container clusters get-credentials ***** --zone **** --project elo-project-267109
This query works fine when I tried it from cloud shell, but I got this error when I tried run it from my terminal:
ERROR: (gcloud.container.clusters.get-credentials) get-credentials requires edit permission on elo-project-267109
I've tried this query from admin account as well as default service account also from new service account by assigning editor role and it still doesn't seem to work for me.
i am using macOs Mojave(10.14.6) and gcloud SDK version installed in my system is 274.0.1
i was able to resolve this issue on my local but i was actually trying to build a CI/CD from gitlab and the issue persists there, i have tried using gcloud(279.0.0) image version.
i am new to both gitlab and gcloud. i am trying to build CI/CD pipeline for the first time.
Do gcloud auth list to see which account are you logged into.
You need to login with the account which has the correct credentials to access the action that you're trying to perform.
To set the gcloud account: gcloud config set account <ACCOUNT>
It's turned out to be the image version mismatch issue on GitLab.

gcloud any command work only sometimes

Sometimes after I run some command lines such as gcloud instances list
the output is shown after 1 or 2 minutes, rarely after 5 minutes.
When I tried to run gcloud instances ssh inst_name, this is console output I get:
ERROR: (gcloud.compute.ssh) There was a problem refreshing your current auth tokens: Unable to find the server at www.googleapis.com
Please run:
$ gcloud auth login
to obtain new credentials, or if you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
Running either of those commands or both of them doesn't help.
Does someone know a workaround or root cause for my problem?