This is a collection of tools / libraries for making a request to googlesource.com and source.developers.google.com with an OAuth2 tokens.
This comes with three tools and a library for programmatic access.
- git-credential-googlesource: A gitcredentials helper
- googlesource-askpass: A
GIT_ASKPASS
helper - googlesource-cookieauth: A tool to create a gitcookie file
- credentials: A library for creating a TokenSource
These tools work without any configuration by default as long as you have gcloud installed. For choosing which one to use, see the usage guide below.
This is not an official Google product (i.e. a 20% project).
Install like other Go tools.
There are two things to consider for setting this up.
- Which account to use and how to obtain the credentials
- How to run these auth helpers
-
Use on a personal machine
If you use these tools on your workstation, which means that you use these tools for non-production jobs, you can just use your Google Account. Install Google Cloud SDK, and set up your account with
gcloud auth login
. These tools automatically use the default account. If you have multiple accounts, and you want to use different accounts for different repositories, see the configurations section below. -
Use on GCE
If you use these tools on GCE, you must use a service account. You can specify a service account for each GCE instance when you start one, and the machine can get a credential of that account from a special IP address that is internal to GCE. Use
https://www.googleapis.com/auth/cloud-platform
as the OAuth2 scope. If you have gcloud installed in the machine, you don't need further configuration. If you do not want to install gcloud, you can specifyapplication-default
forgoogle.account
in git-config. See the configurations section below. -
Use on an on-premise servers
If you use these tools on on-premise machines, you must use a service account as well. In Google Cloud Platform Console, you can create a service account and you can download a credential JSON file for the account. You can distribute this credential file to your on-premise machines and specify the file path in
GOOGLE_APPLICATION_CREDENTIALS
. Specifyapplication-default
forgoogle.account
in your .gitconfig. See Application Default Credentials for details.
-
Run
googlesource-cookieauth
as a cron jobIf you don't mind running a small background cron job on your machine once per hour, running
googlesource-cookieauth
as a cron job will be most convenient and reliable option.Setting up a cron job depends on your operating system. Explaining how to set up one is beyond this help. For Linux, you might be able to use systemd or crontab. For Mac OS X, you might be able to use launchd or crontab. For Windows, you might be able to use Task Scheduler.
-
Run
googlesource-cookieauth
right before running Git commandsThe OAuth2 tokens written by
googlesource-cookieauth
are usually valid for an hour. If you need to access Git repositories in a CI/CD pipeline and you cannot modify the worker image for running a cron job, you can run this command once at the beginning. -
Use
git-credential-googlesource
If you install
git-credential-googlesource
to the $PATH, you can specifygooglesource
tocredential.helper
in git-config. You can specify the full path as well.Due to the nature of git-credential mechanism, this doesn't work well for googlesource.com repositories. This is because Git invokes credential helpers only when it sees 401 Unauthorized. For public repositories, you can always access them and Git won't use the credential. You can change the repository URL path with
/a/
for force authentication. For example, you can usehttps://gerrit.googlesource.com/a/gerrit
instead ofhttps://gerrit.googlesource.com/gerrit
. The googlesource.com server returns 401 Unauthorized if the request is not authenticated.In Mac OS X, the operating system specifies
git-credential-osxkeychain
as a system default credential helper. This credential helper caches the OAuth2 access token returned bygit-credential-googlesource
. Since OAuth2 access tokens are valid only for a short period, the cached credential will become invalid quickly. This causes many confusions and it's better to disable it if you usegit-credential-googlesource
. (A patch for disabling cache is sent to git upstream https://public-inbox.org/git/[email protected]/T/#u) -
Use
googlesource-askpass
You can specify the path to
googlesource-askpass
toGIT_ASKPASS
environment variable orcore.askPass
in git-config.The same restriction applies for
googlesource-askpass
, and this doesn't work well for googlesource.com repositories.
Most of the configurations can be done via git-config. Consult the git manual pages on how to configure the options.
-
google.account
An account to be used. This can take one of the following values. If empty, it defaults to
gcloud
.-
gcloud
Use the default account of
gcloud
. -
application-default
Use the applicaiton default credentials.
-
Google Account emails
Get an access token by using
gcloud auth print-access-token EMAIL
. The account specified here must be registered in gcloud by usinggcloud auth login
-
Service account emails (
SERVICE_ACCOUNT@YOUR_PROJECT.iam.gserviceaccount.com
)Start from the application default credentials, use IAM Service Account Credentials API to obtain the specified service account credentials. The account used for the application default service account must have
iam.serviceAccounts.getAccessToken
for the account specified here.In a rare situation where you need a multi-hop delegation, you can specify a list of delegated service account emails in
google.serviceAccountDelegateEmails
.
-
-
google.scopes
Comma separated values of OAuth2 scopes. If empty, it defaults to
https://www.googleapis.com/auth/cloud-platform
.This config is usually not effective unless you use service account emails for
google.account
. -
google.allowHTTPForCredentialHelper
A boolean value that is used only for
git-credential-googlesource
. If true, it allows returning a credential for HTTP URLs. Usually this is not needed, but this comes handy if you have an HTTP proxy. -
google.cookieFile
A file path to a cookie file.
googlesource-cookieauth
writes Netscape cookies to this file. If you specify "-", it writes to stdout. If empty, it defaults to$HOME/.git-credential-cache/googlesource-cookieauth-cookie
. -
google.gcloudPath
A file path to
gcloud
. If empty, it defaults to the one in the $PATH.
All configurations above, except google.cookieFile
, can be scoped to a URL by
using google.<url>.*
syntax. For example, if you want to use your Gmail
address by default, and use your chromium.org account only for
chromium.googlesource.com, you can write the following .gitconfig.
[google]
account = [email protected]
[google "https://chromium.googlesource.com"]
account = [email protected]
For googlesource-cookieauth
, you can specify google.cookieFile
via a command
line flag, too. Specify a file path via --output
. The commandline flag takes a
precedence over git-config.