google-cloud-auth

What this skill does

# Authenticating to Google Cloud

[Authentication](https://docs.cloud.google.com/docs/authentication) is the
process of proving **who you are**. In Google Cloud, you represent a
**Principal** (an identity like a user or a service). This is the first step
before [Authorization](https://docs.cloud.google.com/iam/docs/overview)
(determining **what you can do**).

## Authentication

### Clarifying Questions for the Agent

Before providing a specific solution, clarify the following with the user:

1.  **Who or what is authenticating?** (A human developer, a local script, or an
    application running in production?)
2.  **Where is the code running?** (Local laptop, [Compute
    Engine](https://docs.cloud.google.com/compute/docs),
    [GKE](https://docs.cloud.google.com/kubernetes-engine/docs), [Cloud
    Run](https://docs.cloud.google.com/run/docs), or another cloud like
    AWS/Azure?)
3.  **What is the target?** (A Google Cloud API like Storage/BigQuery, or a
    custom application you built?)
4.  **Are you using a high-level client library?** (e.g., Python, Go, Node.js
    libraries usually handle ADC automatically.)

---

## Human Authentication

For users to access Google Cloud, they need an identity that Google Cloud can
recognize.

### Types of User Identities

Google Cloud supports several ways to configure identities for your internal
workforce (developers, administrators, employees):

*   **[Google-Managed
    Accounts](https://docs.cloud.google.com/iam/docs/user-identities#google-accounts)**:
    You can use Cloud Identity or Google Workspace to create managed user
    accounts. These are called managed accounts because your organization
    controls their lifecycle and configuration.
*   **[Federation using Cloud Identity or Google
    Workspace](https://docs.cloud.google.com/iam/docs/user-identities#synced-federation)**:
    You can federate identities to allow users to use their existing identity
    and credentials to sign in to Google services. Users authenticate against an
    external identity provider (IdP), but you must keep accounts synchronized
    into Google Cloud using tools like Google Cloud Directory Sync (GCDS) or an
    external authoritative source like Active Directory or Microsoft Entra ID.
*   **[Workforce Identity
    Federation](https://docs.cloud.google.com/iam/docs/user-identities#workforce)**:
    This lets you use an external IdP to authenticate and authorize a workforce
    using IAM directly. Unlike standard federation, you do not need to
    synchronize user identities from your existing IdP to Google Cloud
    identities. It supports syncless, attribute-based single sign-on.

### Methods of Access for Developers and Administrators

Used for interacting with Google Cloud resources and APIs during development and
management.

*   **[Google Cloud Console](https://console.cloud.google.com/)**: The primary
    web interface. You authenticate using your Google Account (Gmail or [Google
    Workspace](https://workspace.google.com/)).
*   **[gcloud CLI](https://docs.cloud.google.com/sdk/docs/install-sdk) (`gcloud
    auth login`)**: Used to authenticate the CLI itself so you can run
    management commands (e.g., `gcloud compute instances list`). It uses a
    **Credential** (like an OAuth 2.0 refresh token) stored locally.
*   **Local Development with [App Default Credentials
    (ADC)](https://docs.cloud.google.com/docs/authentication/application-default-credentials)
    (`gcloud auth application-default login`)**: This is different from CLI
    auth. It creates a local JSON file that Google Cloud **Client Libraries**
    (Python, Java, etc.) use to act as "you" when you run code on your laptop.
*   **[Service Account
    Impersonation](https://docs.cloud.google.com/docs/authentication/use-service-account-impersonation)**:
    For security reasons, developers should avoid downloading Service Account
    keys entirely. Instead, they should authenticate as humans (`gcloud auth
    login`) and use Service Account Impersonation to run CLI commands or
    generate short-lived credentials. This is a critical best practice for local
    development and troubleshooting.

### For End-Users and Customers

Used when a human (who is not a developer) needs to access a web application
you've deployed on Google Cloud. Note: These are distinct from workforce
identities.

*   **[Identity-Aware Proxy (IAP)](https://docs.cloud.google.com/iap/docs)**:
    Acts as a central authorization layer for web applications. It intercepts
    web requests and verifies the user's identity (via Google Workspace, Cloud
    Identity, or external providers) before letting them reach the application.
    It's often used to protect internal apps without a VPN, or secure customer
    portals.
*   **[Identity
    Platform](https://docs.cloud.google.com/identity-platform/docs)**: A
    Customer Identity and Access Management (CIAM) solution for adding consumer
    sign-in (email/password, phone, social) directly into the code of your
    custom-built applications.

---

## Service-to-Service Authentication

When code runs in production, it should use a **Service Account** rather than a
human user account.

### Service Accounts and Service Agents

*   **[Service
    Account](https://docs.cloud.google.com/iam/docs/service-account-overview)**:
    A special identity intended for non-human users. It's like a "robot
    identity" with its own email address.
*   **[Service Agent](https://docs.cloud.google.com/iam/docs/service-agents)**:
    A service account managed by Google that allows a service (like Pub/Sub) to
    access your resources on your behalf.

### Best Practice: Attaching Service Accounts

Instead of using **Service Account Keys** (dangerous JSON files), you should
**attach** a custom service account to the Google Cloud resource. The resource's
environment then provides a **Token** (a short-lived digital object) via a local
metadata server.

*   **[Compute
    Engine](https://docs.cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances)**:
    Assign a service account during VM creation.
*   **[Cloud
    Run](https://docs.cloud.google.com/run/docs/securing/service-identity)**:
    Assign a service account in the service configuration.

### Special Cases & Advanced Topics

#### Kubernetes Engine (GKE)

Use **[Workload Identity Federation for
GKE](https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)**
to map Kubernetes identities to IAM principal identifiers. This grants specific
Kubernetes workloads access to specific Google Cloud APIs. [Learn more
here.](https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#configure-authz-principals)

#### External Workloads ([Workload Identity Federation](https://docs.cloud.google.com/iam/docs/workload-identity-federation))

For code running **outside** Google Cloud (e.g., AWS, Azure, or on-prem), do not
use keys. Instead, use Workload Identity Federation to exchange an external
token (like an AWS IAM role) for a short-lived Google Cloud access token.

#### [API Keys](https://docs.cloud.google.com/docs/authentication/api-keys)

API keys are encrypted strings used for public data (e.g., Google Maps) or
simplified access like **[Vertex AI Express
Mode](https://docs.cloud.google.com/vertex-ai/generative-ai/docs/start/express-mode/overview)**,
which allows fast testing of Gemini models without complex setup. Both humans
and services (e.g., Cloud Run-based AI agent) can use API keys, for the services
that support it.

Note: API keys should be
[restricted](https://docs.cloud.google.com/api-keys/docs/add-restrictions-api-keys)
to specific APIs and projects to minimize security risks. Store API keys in a
secrets manager like [Secret
Manager](https://docs.cloud.google.com/secret-manager/docs) to prevent
accidental exposure.

#### OAuth 2.0 Access Scopes

While IAM is the modern way to handle authorization, legacy Compute Engine VMs
and GKE node po