When you create a new workspace, it all works fine with
gcloud… until the API tokens expire for the first time (about 30 minutes) and you should refresh the credentials. When trying to re-authenticate (with
gcloud auth login or
gcloud auth application-defaults login as instructed within GCP documentation),
sudo rights are required. I don’t want to give any scripts those rights; might not be that bad idea, but I prefer not to.
Here is example of what happens after approximately 30 minutes, and how I fixed it:
$ gsutil ls gs://your-storage ServiceException: 401 Invalid Credentials
sudo chown -R ubuntu:ubuntu /home/ubuntu/.config/gcloud/configurations/config_default gcloud auth login gsutil ls gs://your-storage
And you will get a nice list of the content of your storage.
I am not a GCP master (yet); I’ve gone through endless hours of documentation, but never came across a section about alternative token refresh method than
gcloud auth login or using the service accounts (which I will use at production; would prefer using OAuth accounts for dev team). If anyone knows, that this method is not the correct one, but instead I am doing something wrong with the entire gcloud auth process, please let me know.
Anyway, thanks for your time!