#authentication #gcp #google


Google cloud platform (GCP) authentication using default and custom service accounts

17 unstable releases (5 breaking)

0.6.1 Dec 13, 2021
0.5.0 Aug 4, 2021
0.4.0 Jan 31, 2021
0.3.2 Nov 17, 2020
0.1.4 Jul 2, 2020

#9 in Authentication

Download history 839/week @ 2021-09-26 917/week @ 2021-10-03 644/week @ 2021-10-10 863/week @ 2021-10-17 651/week @ 2021-10-24 1123/week @ 2021-10-31 1173/week @ 2021-11-07 1523/week @ 2021-11-14 1018/week @ 2021-11-21 1121/week @ 2021-11-28 715/week @ 2021-12-05 1036/week @ 2021-12-12 631/week @ 2021-12-19 384/week @ 2021-12-26 1030/week @ 2022-01-02 1146/week @ 2022-01-09

3,211 downloads per month
Used in 2 crates

MIT license

659 lines

GCP Auth

Crates.io Documentation MIT licensed

GCP Auth is a simple, minimal authentication library for Google Cloud Platform (GCP) providing authentication using services accounts. Once authenticated, the service account can be used to acquire bearer tokens for use in authenticating against GCP services.

The library looks for authentication methods in the following order:

  1. Path to service account JSON configuration file using GOOGLE_APPLICATION_CREDENTIALS environment variable. The service account configuration file can be downloaded in the IAM service when displaying service account detail. The downloaded JSON file should be provided without any further modification.
  2. Invoking the library inside GCP environment fetches the default service account for the service and he application is authenticated using that particular account
  3. Application default credentials. Local user authetincation for development purposes created using gcloud auth application.
  4. If none of the above can be used an error occurs

Tokens should not be cached in the application; before every use a new token should be requested. The GCP auth library contains logic to determine if an already available token can be used, or if a new token should be requested.

Default service account

When running inside GCP the library can be asked without any further configuration to provide a bearer token for the current service account of the service.

let scopes = &["https://www.googleapis.com/auth/bigquery/"];
let authentication_manager = gcp_auth::init().await?;
let token = authentication_manager.get_token(scopes).await?;

Custom service account

When running outside of GCP (for example, on a developer's laptop), a custom service account may be used to grant some permissions. To use a custom service account a configuration file containing a private key can be downloaded in IAM service for the service account you intend to use. The configuration file has to be available to the application at run time. The path to the configuration file is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable.

// With the GOOGLE_APPLICATION_CREDENTIALS environment variable set
let scopes = &["https://www.googleapis.com/auth/bigquery/"];
let authentication_manager = gcp_auth::init().await?;
let token = authentication_manager.get_token(&scopes).await?;

You may instantiate authentication_manager from a credentials file path using the method from_credentials_file:

 // `credentials_path` variable is the path for the credentials `.json` file.
 let authentication_manager = gcp_auth::from_credentials_file(credentials_path).await?;
 let token = authentication_manager.get_token().await?;

Local user authentication

This authentication method allows developers to authenticate again GCP when developing locally. Its use should be limited to development. Credentials can be set up using the gcloud auth utility. Credentials are read from file ~/.config/gcloud/application_default_credentials.json.


Does the library support windows?


Getting tokens in multithreaded async programs

There is a simple pattern that can be used in async/await programs, to avoid creating multiple instances of AuthenticationManager:

use once_cell::sync::Lazy;

static AUTHENTICATOR: Lazy<gcp_auth::AuthenticationManager> =
    Lazy::new(|| {
        futures::executor::block_on(gcp_auth::init()).expect("Should set-up auth")


Parts of the implementatino have been sourced from yup-oauth2.

Licensed under MIT license.


~411K SLoC