Why the "reauth related error (invalid_rapt)" on Google Cloud Shell / Golang?

Question

I got this error for the first time this week and it's really confusing me. Here's the situation:

1. Logged into a Google Workspace Account (custom domain / not a Gmail.com) and ...
2. Using Google Cloud Shell to ...
3. Build Golang project that ...
4. Calls Google Cloud API's (such as Google Cloud Storage) ...
5. Receive dreaded invalid_rapt even though no authentication is being done 🤔

P.S. - Been using this setup for about 4 months without running into this problem. Did something change?

What's frustrating is that using Python still works to, say, list buckets in GCS:

python3 -c 'from google.cloud.storage import Client; print(list(Client().list_buckets()))'

But Golang does not:

package main

import (
    "context"
    "fmt"
    "log"

    "cloud.google.com/go/storage"
)

func main() {
    ctx := context.Background()
    client, err := storage.NewClient(ctx)
    if err != nil {
        log.Fatalf("Failed to create client: %v", err)
    }
    defer client.Close()

    it := client.Buckets(ctx, "surfey")
    fmt.Println("Buckets:")
    for {
        attrs, err := it.Next()
        if err != nil {
            log.Printf("Failed to list buckets: %v", err)
            break
        }
        fmt.Println(attrs.Name)
    }
}

$ ./gobuckets Buckets: 2024/05/15 21:42:37 Failed to list buckets: Get "https://storage.googleapis.com/storage/v1/b?alt=json&pageToken=&prefix=&prettyPrint=false&project=surfey&projection=full": oauth2: "invalid_grant" "reauth related error (invalid_rapt)" "https://support.google.com/a/answer/9368756"

However, I found I could work around the problem by setting the Reauthentication policy in Google Workspace Admin to Never require reauthentication ... which feels like a very bad solution.

Unfortunately I cannot simply run gcloud auth application-default login because as I said I'm on Google Cloud Shell which technically runs as a Google Compute Instance and thus that gives me a warning:

n@cloudshell:~$ gcloud auth application-default login

You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.

If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?

Do you want to continue (Y/n)? 

This is a complicated question to solve and it's wasted a lot of my time already. I wonder ...

• Why is Python able to work but Golang is not (with a default client)?
• How would I actually re-authenticate when I'm not using local credentials?
• What "app" could I mark Trusted such that I don't need to have blanket "no reauthentication" configuration?

Answer 1

After removing the old config file via

mv  ~/.config/gcloud/application_default_credentials.json  ~/.config/gcloud/application_default_credentials.json.bak

I re-created the file with:

gcloud auth application-default login

It changed only the refresh_token field of he JSON but after this, everything went fine. Probably just running the latter command would've been enough.

Answer 2

As usual ^1 I figured out the problem after fully describing it here. But hey, if you're having the same issue then I hope this helps you:

Somewhere along the way I had used gcloud auth application-default login and there was a ~/.config/gcloud/application_default_credentials.json! 🤦 I ran rm -rf ~/.config/gcloud and the problem went away.

Now I'm trying to figure out how I can detect which credentials are being used because clearly Python wasn't using those.