GCP Credentials
Overview
PyBritive provides two GCP-specific checkout modes that integrate directly with the gcloud CLI. Both modes retrieve a temporary service account key from Britive and use it to authenticate your local gcloud session — no long-lived credentials required.
What you’ll learn:
- How to authenticate to GCP using
gcloudauthmode - How to authenticate automatically using
gcloudauthexecmode - How to use the simplified GCP profile format
Before You Begin
- PyBritive installed and authenticated — see Getting Started
gcloudCLI installed — rungcloud --versionto check- At least one GCP profile available for checkout — see Listing Your Access
Note: Profile names in this tutorial are from the Britive demo tenant. Replace them with your own profile names from
pybritive ls profiles.
Get GCP Credentials
Authenticate using gcloudauth
The gcloudauth mode retrieves a temporary GCP service account key, saves it to ~/.britive/, and outputs a gcloud auth activate-service-account command. Use eval to execute it and activate the credentials in your current shell session.
eval $(pybritive checkout "GCP - CIS/Big Query Viewer" --mode gcloudauth)Verify the active account:
gcloud auth listUse a custom key file location
By default, PyBritive saves the key file to ~/.britive/. To store it elsewhere:
eval $(pybritive checkout "GCP - CIS/Big Query Viewer" --mode gcloudauth \
--gcloud-key-file ~/keys/gcp-temp.json)Authenticate using gcloudauthexec
The gcloudauthexec mode works the same as gcloudauth but runs the authentication command automatically — no eval needed.
pybritive checkout "GCP - CIS/Big Query Viewer" --mode gcloudauthexecUse gcloudauthexec when you want a simpler one-liner, or in scripts where using eval is not practical. The --gcloud-key-file flag is not available in this mode.
Verify the active account:
gcloud auth listUse the simplified GCP profile format
For GCP profiles, the application name and environment name are the same. This means you can use the two-part format Application Name/Profile Name instead of the full three-part format.
For example, instead of:
pybritive checkout "GCP - CIS/GCP - CIS/Big Query Viewer" --mode gcloudauthexecYou can use:
pybritive checkout "GCP - CIS/Big Query Viewer" --mode gcloudauthexecPyBritive converts the two-part format to the required three-part format automatically.
Check in when done
GCP profiles require the full three-part profile format for checkin, even if you used the two-part shorthand for checkout:
pybritive checkin "GCP - CIS/GCP - CIS/Big Query Viewer"To also remove the service account credentials from your local gcloud session:
gcloud auth revokeTroubleshoot
| Symptom | Cause | Fix |
|---|---|---|
gcloud: command not found | gcloud CLI not installed | Install the Google Cloud CLI before using these modes |
ERROR: (gcloud.auth) Invalid key file | Key file path incorrect or permissions issue | Check the path and ensure PyBritive has write access to the directory |
gcloudauth outputs command but credentials not active | eval not used | Wrap the command in eval $(...) |
invalid_grant: Invalid JWT Signature | GCP service account key is expired or revoked | Contact your Britive administrator to rotate the service account key |
| Profile not found with two-part format | Profile name typo | Run pybritive ls profiles and confirm the exact name |
Next Steps
- Approval Workflows — manage access requests for profiles that require approval before checkout
- SSH Access — connect to GCP Compute Engine instances via Identity Aware Proxy