Skip to content
This repository has been archived by the owner on Jan 3, 2023. It is now read-only.

Do not require application-default credentials #154

Open
ahmetb opened this issue Mar 28, 2018 · 6 comments
Open

Do not require application-default credentials #154

ahmetb opened this issue Mar 28, 2018 · 6 comments

Comments

@ahmetb
Copy link
Contributor

ahmetb commented Mar 28, 2018

Do not require this command:

 gcloud auth application-default login

There are a lot of tools that depend on gcloud credentials that work without requiring this.

The way they do is to

gcloud config config-helper --format=json

and parse the token from there directly. This is also how kubectl authenticates to GKE.

This step is (1) unnecessary (2) interferes with user's current ADC config (3) creates a side-effect on user's system (4) makes the kubemci tutorial longer. Please consider changing soon, or I may send a patch.
@nikhiljindal
Copy link
Contributor

Thanks for filling this issue @ahmetb

A patch will be most welcome :)
Note that it will have to be this week to make it in 0.4

@ahmetb
Copy link
Contributor Author

ahmetb commented Mar 28, 2018

I tried, it seems nontrivial. You likely need to specify a custom oauth2.TokenSource to all googleapi clients.

@G-Harmon
Copy link
Contributor

Is this a Beta blocker?

@ahmetb
Copy link
Contributor Author

ahmetb commented Mar 29, 2018

Shouldn't be. But I have reason to think it should be doable fairly easily. Projects like container-builder-local or kubectls gcp auth plugin use it. So there's a fair amount of golang code in this space.

this code execs out to gcloud to get a token:
https://github.com/kubernetes/client-go/blob/88e8ea169afa2918712ce2bc64fc1e2d11d72b12/plugin/pkg/client/auth/gcp/gcp.go#L277-L291

then you should be able to use the client constructor/options to give a custom token source to the auto-generated clients.

@nikhiljindal
Copy link
Contributor

Yes if possible, we will try to get it in. Not a blocker

@lpellegr
Copy link

Just waste some time due to this requirement. If the command gcloud auth application-default login is not used, then, kubecmi faills with an error similar to the following:

E0416 21:51:43.392608 18465 gce.go:860] error fetching initial token: oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "Bad Request"
}
E0416 21:51:44.494521 18465 gce.go:860] error fetching initial token: oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "Bad Request"
}
E0416 21:51:45.986165 18465 gce.go:860] error fetching initial token: oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "Bad Request"
}

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lpellegr @ahmetb @nikhiljindal @G-Harmon