gtokenserver
is a google metadata server emulator that provides access tokens.
gtokenserver
allows Google Cloud SDK tools (gcloud, gsutil, bq) and applications using Google Cloud client libraries authenticate for Google Cloud Platform, instead of gcloud auth login
, gloud auth application-default login
, etc.
- You can authenticate Google Cloud SDK tools (gcloud, gsutil, bq) and applications using Google Cloud client libraries in the same way.
gcloud auth
requires you to usegcloud auth login
(orgcloud auth activate-service-account
) for Google Cloud SDK tools, andgloud auth application-default login
(or theGOOGLE_APPLICATION_CREDENTIALS
environment variable) for applications using Google Cloud client libraries.
- You can authenticate applications using Google Cloud client libraries with user accounts and service accounts in the same way.
- You have to run
gloud auth application-default login
for user accounts, and you have to configure theGOOGLE_APPLICATION_CREDENTIALS
environment variable for service accounts. - You have to launch
gtokenserver
in different ways, but you can lanunch applications requiring authentication in the same way.
- You have to run
-
Create a new network (
gcloud
for here):docker network create gcloud
-
Run
gtokenserver
:-
For user accounts:
-
Create a new volume (
gcloud-config
for here):docker volume create gcloud-config
-
Run
gcloud auth application-default login
:docker run --rm -it -v gcloud-config:/gcloud-config -e CLOUDSDK_CONFIG=/gcloud-config \ google/cloud-sdk:alpine gcloud auth application-default login
-
Run
gtokenserver
:docker run -v gcloud-config:/gcloud-config -e CLOUDSDK_CONFIG=/gcloud-config \ --network gcloud -d --rm --name gtokenserver ikedam/gtokenserver
-
-
For service accounts:
-
Run
gtokenserver
with the private key json file :docker run -v "/path/to/service-account-private-key.json` -e GOOGLE_APPLICATION_CREDENTIALS=/key.json \ --network gcloud -d --rm --name gtokenserver ikedam/gtokenserver
-
-
You may want to run with
--restart always
instead of--rm
to havegtokenserver
resident in your computer.
-
-
Run applications require authentication:
-
Google SDK tools:
docker run --rm --network gcloud -e GCE_METADATA_ROOT=gtokenserver \ google/cloud-sdk:alpine gcloud projects list
-
Applications using Google Cloud client libraries (Let's use sops for example):
cat test.yaml | \ docker run --rm --network gcloud -e GCE_METADATA_HOST=gtokenserver -i \ mozilla/sops:alpine --encrypt \ --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key \ --input-type yaml /dev/stdin
-
Be careful that Google SDK tools refers
GCE_METADATA_ROOT
but Google client libraries refersGCE_METADATA_HOST
.
-
-
To stop gtokenserver:
docker kill gtokenserver
-
Run
gtokenserver
:-
For user accounts:
-
Run
gcloud auth application-default login
:gcloud auth application-default login
-
Run
gtokenserver
:gtokenserver
- It binds locahost:8080 by default. You can change the port with the
-p
option.
- It binds locahost:8080 by default. You can change the port with the
-
-
For service accounts:
-
Run
gtokenserver
with the private key json file :GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-private-key.json gtokenserver
-
-
-
Run applications require authentication:
-
Google SDK tools:
GCE_METADATA_ROOT=localhost:8080 gcloud projects list
-
Applications using Google Cloud client libraries (Let's use sops for example):
GCE_METADATA_HOST=localhost:8080 sops --encrypt \ --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key \ test.yaml > test.enc.yaml
-
Be careful that Google SDK tools refers
GCE_METADATA_ROOT
but Google client libraries refersGCE_METADATA_HOST
.
-
gtokenserver
doesn't provide all features of Google metadata servers. It's designed only to provide access token.