{"id":21355036,"url":"https://github.com/salrashid123/gcloud_alias_adc","last_synced_at":"2025-10-08T01:58:10.928Z","repository":{"id":91309895,"uuid":"373539258","full_name":"salrashid123/gcloud_alias_adc","owner":"salrashid123","description":"gcloud alias for Application Default Credentials","archived":false,"fork":false,"pushed_at":"2021-11-18T13:54:15.000Z","size":9,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-27T17:48:46.520Z","etag":null,"topics":["gcloud","gcp","google-cloud","google-cloud-platform"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salrashid123.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-03T14:37:07.000Z","updated_at":"2024-11-09T10:30:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"8c4251e9-714a-42b0-b404-7d9737f328ee","html_url":"https://github.com/salrashid123/gcloud_alias_adc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/salrashid123/gcloud_alias_adc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcloud_alias_adc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcloud_alias_adc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcloud_alias_adc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcloud_alias_adc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salrashid123","download_url":"https://codeload.github.com/salrashid123/gcloud_alias_adc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fgcloud_alias_adc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278877086,"owners_count":26061380,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gcloud","gcp","google-cloud","google-cloud-platform"],"created_at":"2024-11-22T04:15:39.628Z","updated_at":"2025-10-08T01:58:10.877Z","avatar_url":"https://github.com/salrashid123.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gcloud alias for Application Default Credentials\n\nShell alias script that will print the active in-use account for GCP [application default credentials (ADC)](https://cloud.google.com/sdk/gcloud/reference/auth/application-default).\n\nFor example, if you run either\n\n* `gcloud config list`\n* `gcloud auth list`\n\nthis script will print the gcloud cli credentials as well as the application default credentials that are in use. This script will also transparently pass and apply parameters to the actual gcloud cli  (meaning the alisas it acts as if its gcloud)\n\n\u003e\u003e This script is not supported by Google\n\nAs background, users can configure gcloud to use two different credential sets: one for the gcloud cli and one for any google cloud SDK library. Sometimes it's difficult to know which identity is used for ADC since there isn't an easy way to show that. For example, the following commands shows how two identities in use but only one is shown in `gcloud config list`:\n\n```bash\n$ gcloud config list\n\n[core]\naccount = alice@domain.com   \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\nproject = your-project-id\n```\n\n\nNow print the identity used in gcloud cli operations...notice its `alice@domain.com`\n\n```bash\n$ curl https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=$(gcloud auth print-access-token)\n{\n  \"azp\": \"32555940559.apps.googleusercontent.com\",\n  \"aud\": \"32555940559.apps.googleusercontent.com\",\n  \"sub\": \"111461344714442243111\",\n  \"scope\": \"https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/accounts.reauth https://www.googleapis.com/auth/plus.me\",\n  \"exp\": \"1550093476\",\n  \"expires_in\": \"3600\",\n  \"email\": \"alice@domain.com\",    \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\n  \"email_verified\": \"true\",\n  \"access_type\": \"offline\"\n}\n```\n\nHowever, any cloud SDK operation could use a different identity at the same time for ADC...in this case its `bob@domain.com`:\n\n```bash\n$ curl https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=$(gcloud auth application-default print-access-token)\n{\n  \"azp\": \"764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com\",\n  \"aud\": \"764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com\",\n  \"sub\": \"108157913093274845548\",\n  \"scope\": \"https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/plus.me\",\n  \"exp\": \"1550093492\",\n  \"expires_in\": \"3599\",\n  \"email\": \"bob@domain.com\",      \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\n  \"email_verified\": \"true\",\n  \"access_type\": \"offline\"\n}\n```\n\n\nHowever, if you use this alias, a `gcloud config list` will now show both credentials:\n\n```bash\n$ gcloud config list\n\n[adc]\naccount = bob@domain.com\nsource = /home/bob/.config/gcloud/application_default_credentials.json\n\n\n[core]\naccount = alice@domain.com\nproject = your-project-id\n```\n\n\n### Usage/Install\n\nTo use, install jq and yq to parse json and yaml:\n\n```bash\napt-get install jq\npip3 install yq\n```\n\nthen just create a file called [galias.sh](galias.sh), make it executable, then alias it:\n\n```bash\nchmod u+x /path/to/galias.sh\nalias gcloud='/path/to/galias.sh'\n```\n\nadd the alias to your `.profile` to make it permanent\n\n---\n\nYou can apply json and yaml display parsing gcloud supports:\n\n* `json`\n\n```json\n$ gcloud config list --format json\n{\n  \"core\": {\n    \"account\": \"alice@domain.com\",\n    \"project\": \"your-project-id\"\n  },\n  \"adc\": {\n    \"account\": \"bob@domain.com\"\n  }\n}\n```\n\n* `yaml`\n\n```yaml\n$ gcloud config list --format yaml\ncore:\n  account: alice@domain.com\n  project: your-project-id\nadc:\n  account: bob@domain.com\n```\n\nThe rendering of json and yaml with the additional `adc.account=` value is done _after_ gcloud finishes applying any formatting. What that means is this script does *NOT* support advanced formatting (eg you cannot use `gcloud config list --format=\"value(ac.account)\"`. Instead use `jq,yq` on the whole command:\n\n```bash\n$ gcloud config list --format=json  | jq -r '.adc.account'\n  bob@domain.com\n\n$ gcloud config list --format=yaml  | yq -r '.adc.account'\n  bob@domain.com\n```\n\n### Test Cases\n\nNote, the home directory is always for alice since she is the logged in user to the OS\n\nA) No ADC\n\n```bash\n$ gcloud auth application-default revoke\n  You are about to revoke the credentials stored in: \n  [/home/alice/.config/gcloud/application_default_credentials.json]\n\n  Credentials revoked.\n\n$ unset GOOGLE_APPLICATION_CREDENTIALS\n$ gcloud config list\n  [adc]\n  account = \n  source = \n\n  [core]\n  account = alice@domain.com\n\n  project = your-project-id\n  ```\n\nB) gcloud CLI with key file\n\n```bash\n$ gcloud config list\n  [adc]\n  account = bob@domain.com\n  source = /home/alice/.config/gcloud/application_default_credentials.json\n\n  [core]\n  account = alice@domain.com\n  project = your-project-id\n\n$ gcloud auth activate-service-account --key-file=/path/to/svc-account.json\n\n$ gcloud config list\n  [adc]\n  account = bob@domain.com\n  source = /home/alice/.config/gcloud/application_default_credentials.json\n\n  [core]\n  account = svc-account@your-project-id.iam.gserviceaccount.com\n  project = your-project-id\n```\n\nThis is intended since gcloud auth activate-service-account configures gcloud cli and does not impact ADC\n\nC) ADC with with `GOOGLE_APPLICATION_CREDENTIALS`\n\n```bash\n$ gcloud config list\n  [adc]\n  account = bob@domain.com\n  source = /home/alice/.config/gcloud/application_default_credentials.json\n\n  [core]\n  account = alice@domain.com\n  project = your-project-id\n\n$ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/svc-account.json\n\n$ gcloud config list\n  [adc]\n  account = svc-account@your-project-id.iam.gserviceaccount.com\n  source = /path/to/svc-account.json\n\n  [core]\n  account = alice@domain.com\n\n  project = your-project-id\n```\n\nD) With Metadata Server\n\n```bash\n$ gcloud config list\n  [adc]\n  account = gce-svc-account@your-project-id.iam.gserviceaccount.com\n  source = metadata\n\n  [core]\n  account = gce-svc-account@your-project-id.iam.gserviceaccount.com\n  project = your-project-id\n```\n\nE) Metadata Server without Service Account\n\n```bash\n$ gcloud config list\n  [adc]\n  account = \n  source = \n\n  [core]\n  project = your-project-id\n```\n\nF) `GOOGLE_APPLICATION_CREDENTIALS` with external_account\n\nFor use with federation:\n\n- [OIDC Federation](https://github.com/salrashid123/gcpcompat-oidc#automatic)\n- [AWS Federation](https://github.com/salrashid123/gcpcompat-aws#test-automatic)\n\n```bash\n# Federated with impersonation enabled\ncat `pwd`/sts-creds.json\n  {\n    \"type\": \"external_account\",\n    \"audience\": \"//iam.googleapis.com/projects/1071284184436/locations/global/workloadIdentityPools/aws-pool-2/providers/aws-provider-2\",\n    \"subject_token_type\": \"urn:ietf:params:aws:token-type:aws4_request\",\n    \"token_url\": \"https://sts.googleapis.com/v1/token\",\n    \"credential_source\": {\n      \"environment_id\": \"aws1\",\n      \"region_url\": \"http://169.254.169.254/latest/meta-data/placement/availability-zone\",\n      \"url\": \"http://169.254.169.254/latest/meta-data/iam/security-credentials\",\n      \"regional_cred_verification_url\": \"https://sts.{region}.amazonaws.com?Action=GetCallerIdentity\u0026Version=2011-06-15\"\n    },\n    \"service_account_impersonation_url\": \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/aws-federated@your-project-id.iam.gserviceaccount.com:generateAccessToken\"\n  }\n\nexport GOOGLE_APPLICATION_CREDENTIALS=`pwd`/sts-creds.json\n\n$ gcloud auth list\n  [adc]\n  account = https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/aws-federated@your-project-id.iam.gserviceaccount.com:generateAccessToken\n  source = /path/to/sts-creds.json\n\n  [core]\n  account = user@domain.com\n```\n\n```bash\n# Federated with without impersonation enabled\ncat `pwd`/sts-creds.json\n  {\n    \"type\": \"external_account\",\n    \"audience\": \"//iam.googleapis.com/projects/1071284184436/locations/global/workloadIdentityPools/aws-pool-2/providers/aws-provider-2\",\n    \"subject_token_type\": \"urn:ietf:params:aws:token-type:aws4_request\",\n    \"token_url\": \"https://sts.googleapis.com/v1/token\",\n    \"credential_source\": {\n      \"environment_id\": \"aws1\",\n      \"region_url\": \"http://169.254.169.254/latest/meta-data/placement/availability-zone\",\n      \"url\": \"http://169.254.169.254/latest/meta-data/iam/security-credentials\",\n      \"regional_cred_verification_url\": \"https://sts.{region}.amazonaws.com?Action=GetCallerIdentity\u0026Version=2011-06-15\"\n    },\n  }\n\nexport GOOGLE_APPLICATION_CREDENTIALS=`pwd`/sts-creds.json\n\n$ gcloud auth list\n  [adc]\n  account = urn:ietf:params:oauth:token-type:jwt\n  source = /path/to/sts-creds.json\n\n  [core]\n  account = user@domain.com\n```\n\nNote, the `account` value will either show which service account federation will use or if no impersonated credentials are even involved (which is rare)\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fgcloud_alias_adc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalrashid123%2Fgcloud_alias_adc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fgcloud_alias_adc/lists"}