Google Cloud - Best practices for securing default app creds

Are there any best practices around securing default app creds? I really dislike they are plain text, never refreshed, and stored in a known location
Is there support for maybe storing them on a usb key fob? that would be really cool.

I would say wherever possible, use OIDC or implicit auth vs. using any kind of credentials

Are you talking about user level local “application-default credentials” created by the gcloud CLI? I believe it’s possible to make those have to be refreshed on some kind of cadence.

Not sure how much extra benefit storing them on a local drive would be - I think the biggest thing to do there harm-reduction wise is limit the scope (projects and IAM permissions) that users’ regular accounts have access to

is that a new feature? I don’t recall seeing anything like that. they were always static and non expiring

this is for the cli and more importantly the SDK which requires those app default creds

I think the creds for the cli are store in like some local embedded DB that might have some encryption? maybe I’m making that up haha

Well, OIDC / Workload Identity etc. are used a lot broadly for cross cloud-platform auth, auth with CI systems, etc.

as far as app default credentials, they use a refresh token, but it is a static file. I’m not 100% sure, but I believe there is a config setting that can force users to have to reauth ADC as well. What I was saying above is that I’d try to (in an ideal world) limit what users can do with the account attached to those ADCs (for example, use a separate admin account for certain types of operations, make sure you’re using principal of least privilege with assigning permissions, etc.)

https://support.google.com/a/answer/9368756?hl=en has a bit more info about that:

Apps that use Application Default Credentials (ADC) with user credentials are considered third-party apps. These credentials are valid only for the configured session length

so I think if you follow the steps there, users will have to re-run either gcloud auth login --update-adc or gcloud auth application-default login when the session lifetime expires, which sounds like what you’re looking for

so this is another problem. I always hated that the SDK and cli creds are generated and stored separately.

If I expire the sessions then users need to run both auth commands for the cli and the SDK

It would be nice if there was support for automatically regenerating all locally stored creds when a user re-logs into GCP

I was also wondering if there are more options if you use google creds for logging on to mac and windows laptops. does Google Workspace have support for handling gcloud cli and app creds for users automatically?

gcloud auth login --update-adc isn’t what you’re looking for?

hmm that sets up my cli and default app creds?

Dont I need to run both
gcloud auth login - for cli
gcloud auth application-default login - for app default creds

huh looking at the docs it seems --update-adc does do both. thats cool I wonder if thats relatively new

yeah, not sure exactly when it was added, but been around for at least a little while now. it’ll update both