What does gcloud auth revoke actually do?

Question

I'm trying to use a service account to allow a web app to upload files periodically to Cloud Storage with "gsutil cp". During the installation of the gcloud utilities on the web server, I ran a gcloud init and logged in with my main Google account (the owner of the project). After, I successfully credentialed with my service account, so that part of it is fine.

But it's trivial to now just switch to my main account ("gcloud auth list" shows it, and "gcloud config set account ..." lets me switch to it easily with no further authentication), which for security reasons I want to avoid the possibility of someone being able to do if they break into that server. But "gcloud auth revoke" scares me a bit - in the documentation, it states that when given a user account, it revokes the user account token on the server, then removes the credential from the local machine.

Will this revoke access to my main account on other machines I have access to it from? The idea of it removing the user account token on the server implies it may not be just a simple "log out" from that machine, but rather than the user account's privileges in general are revoked. The very last thing I want to do is somehow disable my user account that's the owner of the project; I just want to disallow the one specific machine from which I logged in from being able to do so. To me, that might imply just removing credential from the local machine, not revoking the user account token on the server as the documentation suggests. Unless somehow there are several tokens stored on the server - one for each computer I've signed in from, and signing out from one machine doesn't revoke my privileges on others signed into the same account.

Thanks for clarification!

Dan

Answer 1

Will this revoke access to my main account on other machines I have access to it from?

The short answer is no. Running the command gcloud auth revoke will not revoke access to your project or the access to your main account on other machines you have access from.

As stated here this command revokes the user account token on the server. If the revocation is successful, or if the token has already been revoked, this command removes the credential from the local machine.

I tried to revoke access to my account in which I am the owner of the project, and I can confirm I have access to the Google Cloud Console as well as the command: gcloud auth login. As stated here it obtains access credentials for your user account via a web-based authorization flow. When this command completes successfully, it sets the active account in the current configuration to the account specified. If no configuration exists, it creates a configuration named default.

I understand your concerns regarding the use of gcloud auth revoke, but running the command it is used when you would like to prevent gcloud and other Cloud SDK tools from using the specified account.

Unless somehow there are several tokens stored on the server - one for each computer I've signed in from, and signing out from one machine doesn't revoke my privileges on others signed into the same account.

I can not confirm if several tokens are stored in the server for each one of the computers you used to sign in. As far as the command is concerned, running it will cause the command to remove the credential from the machine you are running it. In case you try to run commands from the Cloud Shell, you will be able to since the credentials stored in the Cloud Shell or a GCE instance are not removed from the machine unless you specify it running the command.

I hope it helps.