2022-03-13

Easier testing of GCP scripts with user credentials

Recently I’ve been working with the Google Cloud Platform and Node.js at work. Sometimes it’s a pain to generate service accounts for development, only to clean them up later, especially when you don’t have IAM access.

But, I found out that you can just test your scripts/projects quite easily with your user account credentials:

Install the gcloud CLI: https://cloud.google.com/sdk/docs/install
Login to GCP in the CLI with gcloud auth application-default login
- This will provide you with application-default credentials once authenticated, i.e. a JSON file similar to a service account’s one, but is automatically picked up by SDK libraries
Ensure the project ID is set…
- export GCLOUD_PROJECT=<your GCP project ID>
- Or, make sure it is defined in your script, e.g. new BigQuery({ projectId: '<your GCP project ID>' })
- (You may prefer the first option if in the production environment, you just want it to pick up the project ID by default and not hard-code it in the script)
That’s it!
- Node.js libraries such as @google-cloud/bigquery should authenticate with your user access
- It also works in other languages’ libraries such as ones in Ruby

This is pretty simple to do, but the third step above had me stumped for longer than I’d like to admit. The process of signing in with ‘application-default credentials’ is also quite verbose in the official documentation and isn’t clear (at least to me) that this is what it does – hopefully this saves someone some time.

As common sense, this should not be used in production, but is very useful in testing or one-off manually executed scripts – be very careful if your regular user account has a lot of permissions though. Be sure to still test with a service account before deploying to ensure it has the right access.

Let me know if this approach is really bad and shouldn’t be used, though – I’m still a big noob at this. Otherwise, enjoy!