Skip to content
GCP Credentials

GCP Credentials

Overview

PyBritive provides two GCP-specific checkout modes that integrate directly with the gcloud CLI. Both modes retrieve a temporary service account key from Britive and use it to authenticate your local gcloud session — no long-lived credentials required.

What you’ll learn:

  • How to authenticate to GCP using gcloudauth mode
  • How to authenticate automatically using gcloudauthexec mode
  • How to use the simplified GCP profile format

Before You Begin

  • PyBritive installed and authenticated — see Getting Started
  • gcloud CLI installed — run gcloud --version to check
  • At least one GCP profile available for checkout — see Listing Your Access

Note: Profile names in this tutorial are from the Britive demo tenant. Replace them with your own profile names from pybritive ls profiles.

Get GCP Credentials

Authenticate using gcloudauth

The gcloudauth mode retrieves a temporary GCP service account key, saves it to ~/.britive/, and outputs a gcloud auth activate-service-account command. Use eval to execute it and activate the credentials in your current shell session.

eval $(pybritive checkout "GCP - CIS/Big Query Viewer" --mode gcloudauth)

Verify the active account:

gcloud auth list

Use a custom key file location

By default, PyBritive saves the key file to ~/.britive/. To store it elsewhere:

eval $(pybritive checkout "GCP - CIS/Big Query Viewer" --mode gcloudauth \
  --gcloud-key-file ~/keys/gcp-temp.json)

Authenticate using gcloudauthexec

The gcloudauthexec mode works the same as gcloudauth but runs the authentication command automatically — no eval needed.

pybritive checkout "GCP - CIS/Big Query Viewer" --mode gcloudauthexec

Use gcloudauthexec when you want a simpler one-liner, or in scripts where using eval is not practical. The --gcloud-key-file flag is not available in this mode.

Verify the active account:

gcloud auth list

Use the simplified GCP profile format

For GCP profiles, the application name and environment name are the same. This means you can use the two-part format Application Name/Profile Name instead of the full three-part format.

For example, instead of:

pybritive checkout "GCP - CIS/GCP - CIS/Big Query Viewer" --mode gcloudauthexec

You can use:

pybritive checkout "GCP - CIS/Big Query Viewer" --mode gcloudauthexec

PyBritive converts the two-part format to the required three-part format automatically.

Check in when done

GCP profiles require the full three-part profile format for checkin, even if you used the two-part shorthand for checkout:

pybritive checkin "GCP - CIS/GCP - CIS/Big Query Viewer"

To also remove the service account credentials from your local gcloud session:

gcloud auth revoke

Troubleshoot

SymptomCauseFix
gcloud: command not foundgcloud CLI not installedInstall the Google Cloud CLI before using these modes
ERROR: (gcloud.auth) Invalid key fileKey file path incorrect or permissions issueCheck the path and ensure PyBritive has write access to the directory
gcloudauth outputs command but credentials not activeeval not usedWrap the command in eval $(...)
invalid_grant: Invalid JWT SignatureGCP service account key is expired or revokedContact your Britive administrator to rotate the service account key
Profile not found with two-part formatProfile name typoRun pybritive ls profiles and confirm the exact name

Next Steps

  • Approval Workflows — manage access requests for profiles that require approval before checkout
  • SSH Access — connect to GCP Compute Engine instances via Identity Aware Proxy
Last updated on