How to authenticate to Google Cloud Platform using the active gcloud configuration in Go

06 May, 2020
Xebia Background Header Wave

When you want to create a command line utility for Google Cloud Platform, it would be awesome if you could authenticate using the active gcloud configuration. Unfortunately, none of the Google Cloud Client libraries support using the gcloud credentials. In this blog, I will present a small go library which you can use to do just that.

How to use it?

It is really simple. You import the package and call the GetCredentials function, as shown below:

package main

import ""

func main() {
    name := ""
    credentials, err := gcloudconfig.GetCredentials(name)

The name specifies the configuration you want to use, or the current active one if unspecified. The credentials can be passed in when you create a service client, as shown below:

    computeService, err := compute.NewService(ctx,

If the core/project property has been set, it is available in the credential too:

    project := credentials.ProjectId

That is all there is to it! Check out the complete example of using the gcloud configured credentials. If you want to access other settings in the configuration use GetConfig.

How does it work?

The function will executes the command gcloud config config-helper, which is a gcloud helper for providing authentication and configuration data to external tools. It returns an access token, an id token, the name of the active configuration and all of the associated configuration properties:

  active_configuration: playground
      project: playground
  access_token: ya12.YHYeGSG8flksArMeVRXsQB4HFQ8aodXiGdBgfEdznaVuAymcBGHS6pZSp7RqBMjSzHgET08BmH3TntQDOteVPIQWZNJmiXZDr1i99ELRqDxDAP8Jk1RFu1xew7XKeQTOTnm22AGDh28pUEHXVaXtRN8GZ4xHbOoxrTt7yBG3R7ff9ajGVYHYeGSG8flksArMeVRXsQB4HFQ8aodXiGdBgfEdznaVuAymcBGHS6pZSp7RqBMjSzHgET08BmH3TntQDOteVPIQWZNJmiXZDr1i99ELRqDxDAP8Jk1RFu1xew7XKeQTOTnm22AGDh28pUEHXVaXtRN8GZ4xHbOoxrTt7yBG3R7ff9ajGV
  id_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI5OTk5OTk5OTk5OS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6Ijk5OTk5OTk5OTk5LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTExMTExMTExMTEyMjIyMjIyMjIyMjIiLCJoZCI6InhlYmlhLmNvbSIsImVtYWlsIjoibWFya3ZhbmhvbHN0ZWlqbkBiaW54LmlvIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJScnhBVHRSaTE2TFNOSG1JdnZEWVdnIiwiaWF0IjoxNTg4NzAxNjgzLCJleHAiOjE1ODg3MDUyODN9.DWtAHSvWgXaW0zzoLf2MkiROS_DSS2Wf-k_HQj53g3I
  token_expiry: '2020-05-05T19:01:22Z'

When the token is expired, the library will call the helper again to refresh it. Note that Google is unsure whether the config-helper is a good thing. If you read gcloud config config-helper --help, you will notice the following sentence:

This command is an internal implementation detail and may change or disappear without notice.

Although, for the development of command line utilities which integrate into the Google Cloud SDK ecosystem, it would be really handy if Google would provide an official way to obtain the active gcloud configuration and credentials.


With the help of this library, it is possible to create a command line utility in Go for the Google Cloud Platform, that integrates into the gcloud ecosystem. It is unfortunate that the config-helper is documented to be a volatile interface. Given the simplicity of the interface, I trust this library will be able to deal with any future changes. It would be even better, if Google would provide official support.

We also created a library for authenticating with gcloud credentials in Python.

Image by Kerstin Riemer from Pixabay

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts