1

I'm working on a project where I need to access a Gcloud service account. However, I've been encountering issues with authentication. This is the following error from my command prompt:

My command:

curl -s -H "Content-Type: application/json" \ 
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \ 
https://speech.googleapis.com/v1/speech:recognize \ 
-d @sync-request.json

Output:

{
  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED"
  }
}

At the current moment, I have done the following: I set my environment variable, "GOOGLE_APPLICATION_CREDENTIALS", to hold the path to my service account's JSON key file, I opened my cmd in the directory where the key file is located, I ran the command. Is there anything else I'm missing?

The documentation I am following is from https://cloud.google.com/docs/authentication/production#windows

Donnald Cucharo
  • 3,866
  • 1
  • 10
  • 17
justin Yang
  • 57
  • 2
  • 7
  • 1
    I don't want to see your authorization token, but when you inspect it does it look right? I get that you have to set the header but the Bearer parts seems like that you should be part of the authentication mechanism itself. When it talks about auth application-defautl it says "These credentials are only used by Google client libraries in your own application." which is not promising to me. Never used glocud so I could be entirely wrong. – Allan Wind Dec 24 '20 at 21:23
  • 1
    You can try creating a [new service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and download the [JSON key file](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys) just to have fresh credentials and try following the instructions for setting up the path in windows. – Ricco D Dec 25 '20 at 07:38

1 Answers1

1

Couple of things.

gcloud does not use ADC; setting GOOGLE_APPLICATION_CREDENTIALS does not configure gcloud.

You should (have not tried) be able to use gcloud auth activate-service-account ... and then gcloud auth print-access-token.

Or you can just use a regular (human|non-service) account and gcloud auth print-access-token.

Or, you can use gcloud auth application-default login and then gcloud auth application-default print-access-token but the two go together.

Don't quote the token in header:

TOKEN="$(gcloud auth print-access-token)"                     # Either
TOKEN="$(gcloud auth application-default print-access-token)" # Or

curl \
--silent \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ${TOKEN}" \
--data @sync-request.json \
https://speech.googleapis.com/v1/speech:recognize
DazWilkin
  • 32,823
  • 5
  • 47
  • 88
  • Sorry, I should have been more specific. I am attempting to authenticate my application as a service account via the command prompt. According to the documentation, I can use the Google Cloud Client Libraries and ADC to automatically find my service account credentials. Here is the document to which I am referring to: https://cloud.google.com/docs/authentication/production#windows. – justin Yang Dec 25 '20 at 01:53
  • You can use `GOOGLE_APPLICATION_CREDENTIALS` only with Google's SDKs. You can use `print-access-tokem` values with curl as I showed. But `print-access-token` can only use a`gcloud auth`'d credentials. Either a regular Google (human) account or a service account. For the latter you must `gcloud auth activate-service-account`. You can even `gcloud auth application-default print-access-token` but you must `gcloud auth application-default login` first. This last approach is no longer recommended and using it this way is a little unusual. – DazWilkin Dec 25 '20 at 02:59
  • ... this is because, this is|was a way to avoid using a service account by emulating one with human credentials. If you just have code using Google SDKs, create a service account and use `GOOGLE_APPLICATION_CREDENTIALS`. – DazWilkin Dec 25 '20 at 03:01
  • Also, if you're not aware of it, check out [oauth2l](https://github.com/google/oauth2l). It's useful for munging tokens. – DazWilkin Dec 25 '20 at 03:03