How to Authorize googlecloudstorage with a service account

Tony_M · November 15, 2024, 5:17am

We all know it's preferable to authorize rclone with a service account. Service-accounts practice POLP by reducing the permissions scope to only the narrow permissions needed to complete the task. Using user permissions give rclone broad access to your account.

This guide explains how to obtain a service account access-token via gcloud CLI without generating a service-account-keys. Service-account keys are an issue because (a) they can be breached and (b) they are a pain to generate. An account-token is temporary

The overall process includes

Create a service account using

gcloud iam service-accounts create gcs-read-only

Attach read-only role to the service account

PROJECT_ID=my-project
 gcloud --verbose iam service-accounts add-iam-policy-binding \
    gcs-read-only@${PROJECT_ID}.iam.gserviceaccount.com  \
    --member=serviceAccount:gcs-read-only@${PROJECT_ID}.iam.gserviceaccount.com \
    --role=roles/storage.objectUser

Get access key for service account

 gcloud auth application-default print-access-token  \
   --impersonate-service-account \
       dev-gcloud-go@${PROJECT_ID}.iam.gserviceaccount.com  

ya29.c.c0ASRK0GbAFEewXD [truncated]

update rclone.conf
find {access_token": "xxx"} and replace the value with the access token from step 3
Run rclone as usual

rclone ls dev-gcs:${MY_BUCKET}/

More Info on Service Accounts

Tony_M · November 15, 2024, 7:40pm

A few more benefits of using service accounts with access tokens (instead of json key files)

The tokens are temporary and expire when you want them to
no need for the clumsy oauth flow. this is great on remote SSH without access to a web browser
You don't need to authorize the Rclone App ID to your account. The Rclone APP ID authoriztation opens up access to your google account to the rclone app ID owner.

ncw · November 17, 2024, 10:19am

Thank you for writing this up. Do you want to contribute this to the rclone docs? Perhaps another section in this doc?

github.com

rclone/rclone/blob/master/docs/content/googlecloudstorage.md

---
title: "Google Cloud Storage"
description: "Rclone docs for Google Cloud Storage"
versionIntroduced: "v1.02"
---

# {{< icon "fab fa-google" >}} Google Cloud Storage

Paths are specified as `remote:bucket` (or `remote:` for the `lsd`
command.)  You may put subdirectories in too, e.g. `remote:bucket/path/to/dir`.

## Configuration

The initial setup for google cloud storage involves getting a token from Google Cloud Storage
which you need to do in your browser.  `rclone config` walks you
through it.

Here is an example of how to make a remote called `remote`.  First run:

     rclone config

This file has been truncated. show original

We could also come up with a command line to do the config file editing

rclone config update

Should be able to do it. It might need an extra flag to stop rclone asking for a new token!

Tony_M · November 18, 2024, 11:24pm

thanks for calling that out. i'll update those docs

Tony_M · November 19, 2024, 1:38am

Here's a PR for the docs. I'll look into the config option as it would be an improvement.

github.com/rclone/rclone

googlecloudstorage: update docs on service account access tokens

rclone:master ← tonymet:gcs-access-tokens

opened 01:38AM - 19 Nov 24 UTC

tonymet

+45 -0

#### What is the purpose of this change? Update GCS docs to add a section on authenticating service accounts using access tokens. Access tokens are simpler & more secure on remote machines.  #### Was the change discussed in an issue or in the forum before? https://forum.rclone.org/t/how-to-authorize-googlecloudstorage-with-a-service-account/48669  #### Checklist - [✅ ] I have read the [contribution guidelines](https://github.com/rclone/rclone/blob/master/CONTRIBUTING.md#submitting-a-new-feature-or-bug-fix). - [✅ ] I have added tests for all changes in this PR if appropriate. - [ ✅] I have added documentation for the changes if appropriate. - [ ✅] All commit messages are in [house style](https://github.com/rclone/rclone/blob/master/CONTRIBUTING.md#commit-messages). - [ ] I'm done, this Pull Request is ready for review :-)

vaishu · December 13, 2024, 12:06am

Hey Tony,

Why are you getting the access token for the dev-gcloud-go service account when you created the gcs-read-only service account for rclone to use to access to GCS bucket? Isn't it just ending up using the permissions applied to the dev-gcloud-go account?

Tony_M · December 13, 2024, 12:55am

i'm sorry the service account should be gcs-read-only in step #3

UpperM · January 8, 2025, 8:05am

Hi @Tony_M, I try to use short live token but I have the error failed to configure Google Cloud Storage: google: could not find default credentials.. It's seem like the client still try using ADC instead token, do you have an idea ?

details of my issue : Using service account access token with GCP is not working

Thanks

Edit : My bad, the access_token feature is not yet released. I have build rclone from master and it's working !