Our team is stuck on a tricky authentication issue. We need to access Google Sheets data from both our GCP Compute Engine and local dev machines. The catch? We can’t download any Service Account JSON keys due to company policy.
We’ve got it working on GCE using Application Default Credentials (ADCs). Just had to set the right scopes and permissions. Easy peasy.
But local dev is a whole other beast. We’ve tried gcloud auth application-default login, but it’s a no-go for Drive API. Keep getting ‘insufficient authentication scopes’ errors.
We’ve thrown everything at it:
creds, proj_id = google.auth.default(scopes=['https://www.googleapis.com/auth/drive'])
# And even this wild attempt
creds, proj_id = google.auth.default()
user_creds = google_auth_oauthlib.get_user_credentials(
['https://www.googleapis.com/auth/drive'],
creds._client_id,
creds._client_secret
)
Nothing works. We’re pulling our hair out here. Any ideas on how to make this work without breaking security rules? Thanks!
hey mate, have u tried using a custom oauth flow for local dev? it’s a bit of a pain to set up, but it might work. basically, u create a oauth client ID in GCP, then use that to get user consent. no need to download any creds that way. just make sure to keep the client secret safe!
I encountered this issue a while back and found that Workload Identity Federation is a viable solution for local development. By establishing a Workload Identity Pool and setting up an external identity provider, you can provision a corresponding provider in GCP. After granting the appropriate IAM roles, configure ADC through the gcloud CLI to use the federation endpoint. Although the initial setup is a bit involved, this method aligns with strict security policies and works well on both Compute Engine and local machines.
I’ve been down this road before, and it’s definitely a tricky one. Have you considered using Google Cloud SDK’s gcloud auth login command for local development? It’s not perfect, but it’s saved me a few headaches.
Here’s what worked for me:
Run gcloud auth login and authenticate with your Google account.
Then use gcloud auth application-default login to set up ADC.
This approach lets you use your personal Google account credentials without downloading any service account keys. It’s not ideal for production, but it’s been a lifesaver for local development.
Just remember to clear your application-default credentials when you’re done (gcloud auth application-default revoke) to keep things tidy. Hope this helps!