How do i completely logout of Google Cloud? `gcloud auth revoke --all` doesn't cut it
I'm not sure if this will help you in any way but I ran into a similar issue. Once I had revoked the all credentials using the command "gcloud auth revoke --all" I was still able the execute scripts against my environment. In the end, I found the application default credentials file locating in ~/.config/gcloud/application_default_credentials.json. Renaming / Deleting this file help to remove the client library's ability to the authentication. I no get the follow
File "audit_test.py", line 8, in main
client = resource_manager.Client()
File "fake_path/python3.7/site-packages/google/cloud/resource_manager/client.py", line 72, in __init__
super(Client, self).__init__(credentials=credentials, _http=_http)
File "fake_path/python3.7/site-packages/google/cloud/client.py", line 132, in __init__
credentials, _ = google.auth.default()
File "fake_path/python3.7/site-packages/google/auth/_default.py", line 321, in default
raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started
Related videos on Youtube
Joshmaker
Updated on September 18, 2022Comments
-
Joshmaker over 1 year
Logging out of Google Cloud seems like it should be easy. If I run:
$ unset GOOGLE_APPLICATION_CREDENTIALS $ gcloud auth revoke --all Revoked credentials: - [my account] $ gcloud auth list No credentialed accounts. To login, run: $ gcloud auth login `ACCOUNT`
It at first looks like I'm completely logged out of
gcloud
. But watch what happens when I open a Python shell:>>> from google.cloud import secretmanager_v1beta1 as secretmanager >>> client = secretmanager.SecretManagerServiceClient() /Users/my/path/.venv/lib/python3.7/site-packages/google/auth/_default.py:66: UserWarning: Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about service accounts, see https://cloud.google.com/docs/authentication/ warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) >>> path = client.secret_version_path(project="my-project-name", secret="my-secret", secret_version="latest") >>> secret = client.access_secret_version(path) >>> secret.payload.data.decode() "Oh, no! I should be secret!"
As you can see, even though I ran
gcloud auth revoke --all
I'm still able to access Google Cloud through the Python SDK using user credentials that are stored somewhere. Is there a way to completely logout of Google Cloud on my laptop?EDIT: to clarify further: there aren't any Google Cloud Service account JSON files saved on this computer, and I've unset the
GOOGLE_APPLICATION_CREDENTIALS
environment variable.-
Christopher Rodriguez Conde over 4 yearsI would like to know from where are you revoking access to your accounts. Is it from Google Cloud Shell? Or perhaps from your local machine? Thank you.
-
Joshmaker over 4 years@ChristopherRodriguezConde all the commands here are running locally on my MacBook (good ol' zsh in iTerm).
-
Christopher Rodriguez Conde over 4 yearsI see no relation between the Client Libraries and the fact you revoke access using the
gcloud
command.gcloud revoke --all
will sign out you to use anygcloud
command if I am not mistaken, while for 'logging out' in the sense you would like to control access to the Client Libraries use service accounts, and assign those service accounts to your end-users, but I think there's no relation between revoking access and actually running the Python's Client Libraries. I hope it helps. -
Joshmaker over 4 years@ChristopherRodriguezConde but there is a relationship because if these isn't a service account it will default to using the
gcloud
authorization credentials. My goal is to be completely logged out such that the SDK is unable to authenticate, which includes not having any service account files.
-
-
charles-allen over 3 yearsThere is a command
gcloud auth application-default revoke
which revokes the credentials in that file (and all copies of that file)