This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Does service account login expires in a vm on GCP

Posted on 02-07-2023 04:30 AM
mehulparmariitr
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I used this command to loginto service account with a key file and deleted the key file. Should I bother about relogin in future or service accounts login does not expire in a vm on GCP? 

gcloud auth activate-service-account [ACCOUNT] --key-file=KEY_FILE [--password-file=PASSWORD_FILE     | --prompt-for-password] [GCLOUD_WIDE_FLAG โ€ฆ]
0 3 927
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
kolban
Staff
Reply posted on --/--/---- --:-- AM

That's a good question.  My gut says that the key file is used to prove you are who you claim to be and is used in place of a userid/password (which don't exist for a service account).  However, after you login with gcloud, what are returned are an OAuth access token and an OAuth refresh token which (I believe) are then saved to disk.  If this is correct, then you will remain "logged in" from a gcloud perspective irrespective of the key file.  The key file was only used to grant you the tokens but deletion of the key file doesn't delete the tokens.  To remove the tokens (logout) I think you want to run:

gcloud auth revoke <your account>

Posted on --/--/---- --:-- AM
mehulparmariitr
Bronze 2
Bronze 2
In response to kolban
Reply posted on --/--/---- --:-- AM

And what is the expiry cycle of these tokens?

0 Likes

Posted on --/--/---- --:-- AM
kolban
Staff
In response to mehulparmariitr
Reply posted on --/--/---- --:-- AM

Sadly I'm not an expert on this stuff but will try and do some more study and get back with deeper answers.  My immediate belief is that two tokens are returned ... the Access Token and the Refresh Token.   A current/valid access token is needed to make a request.  It will have a "timeout" associated with it.  When the current access token expires, the refresh token will be used to request a new access token and that will then be used and the story refreshes.  The gcloud command (and client libraries) know how to access these saved tokens and handle the refresh on your behalf so you need do nothing to refresh on the client/caller side.  I'm assuming that the refresh token doesn't expire but can be invalidated/deleted.

Later: More details at:

0 Likes
Top Labels in this Space
Top Solution Authors
View all