1

I have two projects running locally which both use Application Default Credentials. One is in Spring Boot and one is in NodeJS. They use different projects on my same GCP account.

The NodeJS one was working fine and using Google's auth library to authenticate and then use the Google Sheets API.

I then started the Spring Boot one which points to a GCP SQL server. To get this working, I had to change the project that the gcloud CLI was referring to, and then run gcloud auth application-default login. This then worked and I was able to access everything needed for this app.

When trying to move back to the NodeJS project I was unable to authenticate, which I expected. However, when I pointed the gcloud CLI back to this project and ran gcloud auth application-default login again, I was still unable to authenticate. I also expected the Spring Boot app to fail again, but it still worked.

There are two interesting lines in the console when I start up the Spring Boot app:

c.g.c.s.core.DefaultCredentialsProvider  : Scopes in use by default credentials: [{Scopes for Spring Boot App}]
c.g.c.s.a.c.GcpContextAutoConfiguration  : The default project ID is {MYNODEJSAPP}

Why have the default credentials retained the wrong scope despite changing to the correct project ID?

Also, is there a better way to manage two sets of ADCs locally than needing to keep switching the project in the CLI?

Improve this question
17
  • Did you set your project to use somewhere? Commented Apr 6, 2024 at 13:26
  • What do you mean? @guillaumeblaquiere Commented Apr 6, 2024 at 13:41
  • I don't understand your issue. the gcloud auth app default login is for authenticating you, as an account. From there, your permission are used to access different APIs. You can set a default quota project to change the default project, but you can also set this project value in your code directly. The runtime of an application that use the ADC file do not modify it, it read only it to generate Access Token (from the refresh token) contained in the ADC file; no more, no project relationship. Or you missed to share important information. Commented Apr 6, 2024 at 15:28
  • @guillaumeblaquiere Basically when I run my NodeJS project locally the default credential doesn't have authorisation to access the Sheets API when it definitely did before I started using the other project Commented Apr 6, 2024 at 15:39
  • 1
    I agree with Chris here... the google docs and some comments here simply imply one should store long lived service account key json files on you personal laptop which is a bit stupid. Impersonation should be the solution which can/should be backed by an SSO/MFA flow Commented Jun 4, 2024 at 9:32
Related questions
1
GCP - background/design of having gcloud credentials and default application credentials
105
Difference between "gcloud auth application-default login" and "gcloud auth login"
12
How can I manage multiple Application Default Credentials (ADC)?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.