gsutil config --help

From wikieduonline
Jump to navigation Jump to search

gsutil config --help

NAME
 config - Obtain credentials and create configuration file


SYNOPSIS

 gsutil [-D] config [-a] [-b] [-e] [-f] [-n] [-o <file>] [-r] [-s <scope>] [-w]



DESCRIPTION
 The ``gsutil config`` command applies to users who have installed gsutil as a
 standalone tool. If you installed gsutil via the Cloud SDK, ``gsutil config``
 fails unless you are specifically using the ``-a`` flag or have configured
 gcloud to not pass its managed credentials to gsutil (via the command ``gcloud
 config set pass_credentials_to_gsutil false``). For all other use cases, Cloud
 SDK users should use the ``gcloud auth`` group of commands instead, which
 configures OAuth2 credentials that gcloud implicitly passes to gsutil at
 runtime. To check if you are using gsutil from the Cloud SDK or as a
 stand-alone, use ``gsutil version -l`` and in the output look for "using cloud
 sdk".

 The ``gsutil config`` command obtains access credentials for Google Cloud
 Storage and writes a `boto/gsutil configuration file
 <https://cloud.google.com/storage/docs/boto-gsutil>`_ containing the obtained
 credentials along with a number of other configuration-controllable values.

 Unless specified otherwise (see OPTIONS), the configuration file is written
 to ~/.boto (i.e., the file .boto under the user's home directory). If the
 default file already exists, an attempt is made to rename the existing file
 to ~/.boto.bak; if that attempt fails the command exits. A different
 destination file can be specified with the ``-o`` option (see OPTIONS).

 Because the boto configuration file contains your credentials you should
 keep its file permissions set so no one but you has read access. (The file
 is created read-only when you run ``gsutil config``.)

CREDENTIALS
 By default ``gsutil config`` obtains OAuth2 credentials and writes them to the
 [Credentials] section of the configuration file. Unless otherwise specified,
 it requests a token allowing full control of resources in several services,
 e.g. Cloud Storage, Cloud KMS (used for the 'kms' command), and Cloud Pub/Sub
 (used for the 'notification' command). To request a token with more limited
 scopes, you can specify additional options (see the OPTIONS section below for
 the full list). Some examples include:

 Create a token with read-only access for storage resources:

   gsutil config -r

 Create a token with read-write access for storage resources:

   gsutil config -w

 Create a token with full-control access for storage resources:
   gsutil config -f
  In addition, ``-s <scope>`` can be specified multiple times to request
  additional scopes, where ``<scope>`` is specified using the full URL of the
  desired scope as listed on
  https://developers.google.com/identity/protocols/googlescopes.

  If you want to use credentials based on access key and secret (the older
  authentication method before OAuth2 was supported) instead of OAuth2,
  see help about the ``-a`` option in the OPTIONS section.

  If you wish to use gsutil with other providers (or to copy data back and
  forth between multiple providers) you can edit their credentials into the
  [Credentials] section after creating the initial boto configuration file.


CONFIGURING SERVICE ACCOUNT CREDENTIALS
  Service accounts are useful for authenticating on behalf of a service or
  application (as opposed to a user). If you use gsutil as a standalone tool,
  you configure credentials for service accounts using the ``-e`` option:

    gsutil config -e

  Note that if you use gsutil through the Cloud SDK, you instead activate your
  service account via the `gcloud auth activate-service-account
  <https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account>`_
  command.

  When you run ``gsutil config -e``, you are prompted for the path to your
  private key file and, if not using a JSON key file, your service account
  email address and key file password. To get this data, follow the instructions
  on `Service Accounts <https://cloud.google.com/storage/docs/authentication#generating-a-private-key>`_.
  Using this information, gsutil populates the "gs_service_key_file" attribute
  in the boto configuration file. If not using a JSON key file, gsutil also
  populates the "gs_service_client_id" and "gs_service_key_file_password"
  attributes.

  Note that your service account is NOT considered an Owner for the purposes of
  API access (see "gsutil help creds" for more information about this). See
  https://developers.google.com/identity/protocols/OAuth2ServiceAccount for
  further information on service account authentication.


OPTIONS
  -a          Prompt for Google Cloud Storage access key and secret (the older
              authentication method before OAuth2 was supported) instead of
              obtaining an OAuth2 token.

  -b          Causes ``gsutil config`` to launch a browser to obtain OAuth2
              approval and the project ID instead of showing the URL for each
              and asking the user to open the browser. This will probably not
              work as expected if you are running gsutil from an ssh window, or
              using gsutil on Windows.

  -e          Prompt for service account credentials. This option requires that
              ``-a`` is not set.

  -f          Request token with full control (devstorage.full_control scope).
              Note that this does not provide non-storage scopes, such as those
              needed to edit Pub/Sub and KMS resources (used with the
              'notification' and 'kms' commands).

  -n          Write the configuration file without authentication configured.
              This flag is mutually exclusive with all flags other than ``-o``.

  -o <file>   Write the configuration to <file> instead of ~/.boto.
              Use ``-`` for stdout.

  -r          Request token with read-only access (devstorage.read_only scope).

  --reauth    Request token with reauth access (accounts.reauth scope).

  -s <scope>  Request a specific OAuth2 <scope> instead of the default(s). This
              option may be repeated to request multiple scopes, and may be used
              in conjunction with other flags that request a specific scope.

  -w          Request token with read-write access
              (devstorage.read_write scope).



See also

Advertising: