gcutil + gauth utils auth problems with CloudSQL scope

[GoogleCodeExporter]

1.Authenticate using gauth with custom scope list which includes 
cloudsql/clousql.admin, or any other scope which is not in the default list.

2.Attempt to use gcutil with created credentials file- fails. "please run gauth 
to authenticate" or just prompts for new auth.

3. Also, using gauth with --credentials_store_path will store all the 
credentials in one file (as opposed to the default which is multiple folders in 
~/.cloudsdk/[gauth|gcutil|cloud_sql|etc..]

What version of the product are you using? On what operating system?
Using google-cloud-sdk-0.9.10
gauth and gcutil 1.10 

Please help resolve this issue, perhaps providing the correct order of scopes 
to use GCE and CloudSQL together.
Or perhaps fix gcutil to accept gauth generated credential files properly..

Dror Gensler,
Cloud integration engineer,
Zend PHP.

Original issue reported on code.google.com by dro...@zend.com on 13 Nov 2013 at 12:17

[GoogleCodeExporter]

Thanks for the report.

Changing the set of scopes is not officially supported, though if you want to 
do so you can edit the list in 
google-cloud-sdk/lib/google/cloud/sdk/core/config.py.

Additionally, we have moved forward in versions - please upgrade to the latest 
Google Cloud SDK, which uses the gcloud command line tool in place of gauth. 
The auth system has been significantly upgraded after the version you're using.

Original comment by jasm...@google.com on 13 Nov 2013 at 2:35

• Changed state: WontFix

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Thank you for your reply.

The new version seems better indeed,
The default scopes are more then enough, and include CloudSQL.admin which was 
most needed.

Still, there is a problem with the credentials file-
Using gcloud to auth generates files in ~/.config/gcloud .
Running gcutil after such auth works.

Using gcutil after auth, with the --credentials_file=somehere/credentials.txt 
switch prompts for another browser auth process.
If gcloud auth was not performed it prompts the user to run gcloud auth.

After the gcutil --credentials_file auth, if the ~/.config/gcloud folder is 
deleted, gcutil does not accept the credentials file alone. 

Is there a way to specify credentials store path in gcloud (as there was one in 
gauth, though not so functional)?

I need a way to perform auth, then transfer the credentials to another machine 
and for it to perform actions using gcutil without repeating auth process.

Thank you,
Dror.

Original comment by dro...@zend.com on 14 Nov 2013 at 10:22

[GoogleCodeExporter]

Oh, and gcloud is not installed on GCE Debian instances. all they have is 
gcutil version 1.8.3, which does not accept any of the credentials generated by 
gcloud.

Original comment by dro...@zend.com on 14 Nov 2013 at 10:59

[GoogleCodeExporter]

Thanks for the follow-up.

When using the Cloud SDK, it is (intentionally) very difficult to do auth by 
any other mechanism.

Transferring a specific credentials from one machine to another is not a 
use-case we've designed for, however it is a reasonable one and I'm going to 
add it to our internal feature tracker. Stay tuned.

In the meantime, the credentials that gcutil needs are available, but hidden in 
~/.config/gcloud/legacy_credentials/YOUR_EMAIL/multistore.json.

In fact, the version of gcutil that you get with the Cloud SDK is a wrapper 
script that calls the "real" version of gcutil with --credentials_file pointing 
at the multistore.json for the active account.

If you copy this file to the GCE machine, and run gcutil with 
--credentials_file=/path/to/multistore.json, things should work as expected.

Now, that's how you can do what you intended. However, did you know that 
gcutil, when running on a GCE machine, does not need to be provided any 
credentials file at all? Details are available at 
https://developers.google.com/compute/docs/authentication where it talks about 
"service accounts".

Original comment by jasm...@google.com on 14 Nov 2013 at 3:01

[GoogleCodeExporter]

Regarding cloudsdk and gce, getting the cloudsdk available on compute vms is a 
near-term TODO, but it hasn't happened yet. This makes for a bit of impedance 
when using gcutil via the cloudsdk and when using gcutil on a vm, but it will 
go away soon, hopefully.

Original comment by jasm...@google.com on 14 Nov 2013 at 3:06