Skip to main content

Manage GCP credentials using gcloud CLI

To easily manage your GCP credentials over multiple projects, you can use the gcloud CLI configurations.

Create a new gcloud configuration

To create a new configuration, execute gcloud init. gcloud will prompt you with some question to help you create a new configuration.

Welcome! This command will take you through the configuration of gcloud.

Your current configuration has been set to: [default]

You can skip diagnostics next time by using the following flag:****
gcloud init --skip-diagnostics

Network diagnostic detects and fixes local network connection issues.
Checking network connection...done.
Reachability Check passed.
Network diagnostic passed (1/1 checks passed).

You must log in to continue. Would you like to log in (Y/n)?

Enter Y to start the login flow. gcloud should show a link and open a tab in your browser where you can log in into GCP.

The next step is to choose which GCP project to use.

You are logged in as: [<username>@archipelo.co].

Pick cloud project to use:
[1] archipelo-dev
[2] archipelo-prod
[3] archipelo-qa
[4] Enter a project ID
[5] Create a new project
Please enter numeric choice or text value (must exactly match list item):

Choose the project you want to use for this configuration. In this example, we want to use archipelo-dev, so we enter 1.

Finally, gcloud will ask you if you want to configure some default value for Region and Zone, you can skip this.

List existing configurations

The configuration is now created. You can list all your configuration by doing: gcloud config configurations list.

gcloud config configurations list
NAME      IS_ACTIVE  ACCOUNT                             PROJECT                        COMPUTE_DEFAULT_ZONE  COMPUTE_DEFAULT_REGION
default     True     christophe@archipelo.co             archipelo-dev

Generate default credentials

You can now generate your default credentials file with this command: gcloud auth application-default login.

The command will generate a credentials file at $HOME/.config/gcloud/application_default_credentials.json.

Copy credentials to the appropriate location

Most of the Archipelo documentation requires to have the GCP credentials files at a specific location: $HOME/.config/archipelo/gcp-key-archipelo-dev.json.

You can move or copy the default credentials to that location:

mkdir -p $HOME/.config/archipelo/
cp $HOME/.config/gcloud/application_default_credentials.json $HOME/.config/archipelo/gcp-key-archipelo-dev.json

Or create a symlink from the default credentials file to the Archipelo location:

mkdir -p $HOME/.config/archipelo/
ln -s $HOME/.config/gcloud/application_default_credentials.json $HOME/.config/archipelo/gcp-key-archipelo-dev.json

The benefit of using a symlink is that you can have multiple GCP configuration pointing to the different GCP project (dev, qa, prod). And just by activating a different configuration and then generating the default credentials, the file $HOME/.config/archipelo/gcp-key-archipelo-dev.json will automatically point to the selected project.

⚠️ While this is powerful, make sure to be careful if you select the production project.