Re: Using Short-lived downscoped access token in g...

baelter · 06-09-2023 06:09 AM

Is there any way to use such token to authenticate gsutil cli commands?

https://cloud.google.com/iam/docs/downscoping-short-lived-credentials

KirTitievsky

Not entirely sure but the text right above this seems to suggest a solution (e.g. --access-token-file or set the CLOUDSDK_AUTH_ACCESS_TOKEN env variable).

Let us know how it goes if you try this approach.

baelter

Yes, seems to be supported in gcloud CLI, but not gsutil.

KirTitievsky

Ah, I see. Is gcloud not an acceptable way to do this in your case? Can you say why not?

baelter

It could be but our code uses gsutil today so if that was possible it would make it a bit easier.

KirTitievsky

Here's one solution: gsutil -h "Authorization: Bearer $(cat /var/tmp/access_token)" ls

baelter

Got my hopes up but,

gsutil -h "Authorization: Bearer $(cat /tmp/token)" ls gs://my-bucket

Gives "ServiceException: 401 Invalid Credentials"

while

gcloud storage ls gs://my-bucket --access-token-file /tmp/token

works as expected.

btakshil21

Has there been any recent updates on this ?
@baelter did you find a workaround yet ?

Using Short-lived downscoped access token in gsutil