gcloud terraform auth helper tool

A quick and simple bash script to ensure you’re authenticated as the expected Google user when running ops with gcloud CLI.

Background

I run terraform stuff a lot, across a mix of different GCP accounts/environments. If accidentally have gcloud auth’d with the wrong user and you fail to pay attention to the output of terraform apply/terraform plan, it’s possible to do some bad damage. At best, you waste time to auth again and re-plan appropriate. As such, I’ve developed a bunch of tooling and conventions to avoid this.

Here’s a quick bash script to do this. It relies on the existence of a .auth-config file in your working directory. If none exists, it will prompt you for the gcloud user you’re looking for, and then save that into a .auth-config file for you; you should commit this file to version control.

Getting Started

To get started with this script, download it into you working directly (root where you’re running terraform, gcloud commands, or something similarly dependent on gcloud auth) and make it executable (eg, chmod +x gcloud). I developed and use this on macOS; should work on most *nix environments, but YMMV.

./auth Script

#!/bin/bash
# Copyright 2025 Eng Etc LLC
# Licensed under the Apache License, Version 2.0 (the "License");

# Define colors for formatted output
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
YELLOW='\033[0;33m'
NC='\033[0m' # No color

AUTH_CONFIG_FILE=".auth-config"
TARGET_ACCOUNT=""

# Function to read the GCLOUD_ACCOUNT from .auth-config if it exists
load_config() {
    if [[ -f "$AUTH_CONFIG_FILE" ]]; then
        TARGET_ACCOUNT=$(grep '^GCLOUD_ACCOUNT=' "$AUTH_CONFIG_FILE" | cut -d '=' -f2 | tr -d '[:space:]')
    fi
}

# Function to prompt for account input and offer to save it
prompt_for_account() {
    printf "${YELLOW}No valid GCLOUD_ACCOUNT found in ${AUTH_CONFIG_FILE}.${NC}\n"
    read -rp "Enter your Google Cloud account email: " TARGET_ACCOUNT

    if [[ -n "$TARGET_ACCOUNT" ]]; then
        printf "Would you like to save this to ${BLUE}${AUTH_CONFIG_FILE}${NC} for future use?"
        read -rp " (y/n): " SAVE_CHOICE
        if [[ "$SAVE_CHOICE" =~ ^[Yy]$ ]]; then
            echo "GCLOUD_ACCOUNT=$TARGET_ACCOUNT" > "$AUTH_CONFIG_FILE"
            printf "Saved ${BLUE}GCLOUD_ACCOUNT${NC} to ${BLUE}${AUTH_CONFIG_FILE}${NC}.\n"
        fi
    else
        printf "${RED}No account provided. Exiting.${NC}\n"
        exit 1
    fi
}

# if gcloud not installed, exit
if ! command -v gcloud &> /dev/null; then
    printf "${RED}gcloud is not installed, so this auth tool probably isn't applicable to you!${NC}\n" >&2
    exit 1
fi

# Load the target account from config or prompt if missing
load_config
if [[ -z "$TARGET_ACCOUNT" ]]; then
    prompt_for_account
fi

# Get the currently authenticated ADC account
ADC_ACCOUNT=$(gcloud auth application-default print-access-token &> /dev/null && gcloud config get-value account 2>/dev/null)

# Check if the target account is already authenticated for ADC
if [[ "$ADC_ACCOUNT" == "$TARGET_ACCOUNT" ]]; then
    printf "${GREEN}Application Default Credentials are already set for ${TARGET_ACCOUNT}.${NC}\n"
else
    printf "${BLUE}Authenticating Application Default Credentials for ${TARGET_ACCOUNT}...${NC}\n"

    # Authenticate using ADC
    gcloud auth application-default login --account="$TARGET_ACCOUNT"
    gcloud config set account "$TARGET_ACCOUNT"

    ADC_ACCOUNT=$(gcloud auth application-default print-access-token &> /dev/null && gcloud config get-value account 2>/dev/null)
    if [[ "$ADC_ACCOUNT" == "$TARGET_ACCOUNT" ]]; then
        printf "${GREEN}Successfully authenticated Application Default Credentials for ${TARGET_ACCOUNT}.${NC}\n"
    else
        printf "${RED}Failed to authenticate Application Default Credentials.${NC}\n"
        exit 1
    fi
fi