We use gcloud CLI to run adhoc job and manually deploy cloud functions.
Previously, we used multiple keys from one shared service account. This is obviously bad practice.
gcloud auth application-default login lets us each use our individual user credentials but they expire after about an hour!
I've checked https://admin.google.com/ac/security/reauth/admin-tools and the settings show never require reauthentication
Question: How can one get longer lasting user credentials for use with gcloud?
The only other alternative I can think of is to create unique service accounts for each developer.
CodePudding user response:
Question: How can one get longer lasting user credentials for use with gcloud?
The credential lifetime is hardcoded to one hour. Read below for details and recommendations.
The credentials for the CLI should only be used for the CLI and for short-term testing of code/APIs. If you use tokens created from user identities, you will have future problems with quotas and rate-limiting enforced by Google Cloud.
Commands such as gcloud auth application-default print-access-token issue OAuth 2.0 Access Tokens from the identity setup in the CLI. Those tokens should be considered test-only credentials. They are valid for 3,600 seconds. The lifetime cannot be changed without modifying the source code of the CLI.
You should use service accounts and the client libraries if you want long-term credentials. The client libraries will automatically refresh service account OAuth Access Tokens. Also, each developer should have a user identity and a service account identity. Do not share service accounts between users.
You can create tokens yourself and manage the refresh of those tokens. I have written articles on my website that cover the details with examples in Python and the CLI curl.
In Google Cloud, OAuth tokens are valid for one hour. By changing the ORG policy constraints tokens can be created that have a lifetime of up to 12 hours. I do not recommend this constraint.
The Organization Policy Constraint is:
constraints/iam.allowServiceAccountCredentialLifetimeExtension