Get service account auth token without gcloud?

gcloud auth activate-service-account
gcloud auth print-identity-token
gcloud auth login
how to get access token google api
gcloud auth application-default login
google cloud storage access key and secret
google_application_credentials
gcp service account access token

Is it possible to get an authorization bearer token for a Google Cloud service account without the use of gcloud?

That is, I would like to make an HTTP request (presumably signed in some way by my JSON key file) that would provide me the equivalent of

gcloud auth application-default print-access-token

This request would be made on my own server, where I may not wish to install gcloud and where I do not have access to any internal server metadata that might provide this (e.g., as is the case with Compute Engine).

Is there some oauth endpoint that provides something like this?

Alternately, is there some way to generate long-lived tokens with gcloud?

I'm new to the Google Cloud ecosystem, so excuse my ignorance and terminology...


I think that this is exactly what you are looking for:

https://developers.google.com/identity/protocols/OAuth2#serviceaccount

Honestly I don't think that what you were trying to achieve was correct, running

gcloud auth application-default print-access-token

you get a token that is not intended to do what you were looking for:

"This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials."

This should guide you a bit more in the implementation of this solution: https://developers.google.com/identity/protocols/OAuth2ServiceAccount

Creating short-lived service account credentials, The ADC can be specified either by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of a service account key file (JSON) or  From the Service account drop-down menu, select New service account. In the Service account name field, enter a name. From the Role drop-down menu, select Service Account > Service Account Token


For your second question, "is there some way to generate long-lived tokens with gcloud?", no there is not. However, you can use a refresh token to generate new access tokens. Check the first answer for this question:

OAuth2 and Google API: Access token expiration time?

And also, here’s an example of a python library that you can use as an authentication mechanism:

https://github.com/GoogleCloudPlatform/google-auth-library-python/blob/master/google/oauth2/credentials.py

gcloud auth application-default print-access-token, gcloud auth activate-service-account --key-file ${KEY_FILE}. Use your service account to obtain an authorization token: gcloud auth  Console. In the Cloud Console, go to the Service Accounts page.. Go to the Service Accounts page. Click Select a project, choose a project, and click Open.. Find the row of the service account that you want to create a key for.


Here's what it looks like in golang:

import(
    "google.golang.org/api/compute/v1"
    "google.golang.org/api/container/v1"
    "google.golang.org/api/iterator"
    "google.golang.org/api/option"
    "google.golang.org/api/transport"
)
ctx := context.Background()
creds, err := transport.Creds(ctx, option.WithScopes(compute.CloudPlatformScope))
token, err := creds.TokenSource.Token()

Cloud Storage authentication, Important: If you are working with Google Cloud Platform, unless you plan to build your own See Addendum: Service account authorization without OAuth. Finally, your application can use the access token to call Google APIs. After you obtain the client email address and private key from the API Console, use the​  Use an OpenID Connect (OIDC) token to authenticate a service account to a IAP-secured resource. Add the service account to the access list for the IAP-secured project. Generate a JWT-based access


There is no need for a library or an api. You can obtain it using

curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token

It is useful if you need it in a shell script.

Authorization and authentication, I get response from gcloud: --. ERROR: (gcloud.auth.application-default.print-​access-token) The Application Default Credentials are not available. They are  Use gcloud auth activate-service-account to authenticate with the service account: gcloud auth activate-service-account --key-file [KEY_FILE] Where [KEY_FILE] is the name of the file that contains your service account credentials. gcloud auth uses the cloud-platform scope when getting an access token.


Using OAuth 2.0 for Server to Server Applications, Previously, gcloud auth login was used for both use cases. If your gcloud installation does not support the new command, please update it: User Accounts (3-legged OAuth 2.0) with a refresh token¶ Find the “Add credentials” drop down and select “Service account” to be guided through downloading a new JSON keyfile  Get started with Google Cloud; Start building right away on our secure, intelligent platform. New customers can use a $300 free credit to get started with any GCP product.


Access Token for Service account for Cloud Speech API, The access tokens can be generated using a service account with proper you to easily generate a new service account key file if you do not have one already. Step-by-step. 1) Create a Service Account. gcloud iam service-accounts create gcpcmdlineuser --display-name "GCP Service Account". gcloud iam service-accounts create gcpcmdlineuser. 2) List the


Authentication, Once you obtain a token, you do not need to exchange your credentials again Use gcloud to obtain an OAuth 2.0 access token, passing the service account  I did some time ago using the Atex.exe and Atex.dmg software from elcomsoft to get my icloud account token and the result was really surprising it did work . But it was not a locked idevice . Using this new extractor can open many other possibilities to break icloud using token .If you get it, you won’t need to know the credentials or the