GCP PS1 Prompt Support for GCP Accounts and Projects

[RoseSecurity]

Feature Request

I know that Geodesic tends to lean more into the AWS landscape, but would y’all consider offering some GCP PS1 prompt support for GCP accounts like:

function role_name() {
    local role_name
    # Could be a primary or assumed role. If we have assumed a role, cut off the session name.
    local current_role=$(gcloud auth list --filter=status:ACTIVE --format="value(account)" 2>/dev/null | cut -d '@' -f1)
    if [[ -z $current_role ]]; then
        unset ASSUME_ROLE
        return 0
    fi
    export ASSUME_ROLE="$current_role"
}
role_name

From my understanding, GCP has a few different authentication flows, but when it comes to the credentials used by SDK tools like gcloud or gsutil, they are stored in a DB file located at ~/.config/gcloud/credentials.db. Whenever someone runs gcloud auth login, it appends an entry to this file. I also found credentials inside of access_tokens.db, and was able to extrapolate them using Sqlite.

When I look in ~/.config/gcloud/configurations/config_default :

I see:

[core]
account = [michael@gmail.com](mailto:michael@gmail.com)
project = projectexample

[Nuru]

I would be in favor of supporting GCP prompts along the same lines as we support AWS prompts. Standing in the way:

• Cloud Posse does not have a sponsor to support the work. This is not always a requirement, but it definitely helps, both in providing resources and in providing feedback on proposed solutions.
• Cloud Posse does not have a GCP workflow or authentication scheme in its reference architecture, making it unclear what GCP support should actually look like. The AWS support is quite complicated because of the various sources of identity and the numerous reasons to assume different AWS IAM roles and the differing ways to assume them. It is extra complicated because of legacy support for deprecated and obsolete workflows, which should not be carried forward to GCP support.
• The existing prompt support for AWS roles is very complicated. I would not expect a contributor to understand all the intricacies and would not trust a contributor PR to provide GCP support.
• Cloud Posse does not have any kind of established way to test the prompts. The AWS prompts were developed through continuous feedback from customers, but we do not have established relationships with GCP users to provide adequate feedback.

I will leave this issue open and we may at some point undertake to provide the feature, but I would not estimate it happening anytime soon. My best recommendation for now is that GCP users look at the existing AWS support, ignoring in particular the support for aws-vault and the expectation that a primary use case is launching a sub-shell with a different assumed role, and use the existing customization options to craft your own solution.

If you feel you have something robust enough to share, I will consider a PR, but you should craft your PR in a way that other GCP users can adopt it into their custom Geodesic images before the PR is merged and without having to fork the repo.