gcloud-identity-token

A Rust crate for seamless, secure Google Cloud OAuth authentication.

This library handles the OAuth2 authorization code flow (with browser-based login) to obtain:

• Access tokens (for calling Google APIs)
• ID tokens (for verifying user identity)
• Refresh tokens (to renew tokens silently)

It securely caches credentials using the OS-native keyring or a file-based fallback — making it ideal for long-lived CLI tools, automation, and server integrations.

Features

• Secure credential caching
  • Defaults to OS keyring (keyring crate)
  • Optional file-based cache via GCLOUD_IDENTITY_TOKEN_PATH
• Smart refresh logic
  • Automatically reuses tokens until they expire
  • Refreshes silently using stored refresh token
• Headless & browser login support
  • Opens browser for login when possible
  • Falls back to manual URL copy if needed
• Email-based keyring separation
  • Keyring entries are scoped to your Google email (from ID token)

Usage

Obtain application-default credentials (Required)

gcloud auth application-default login

Add to your Cargo.toml:

[dependencies]
gcloud-identity-token = "0.1"

Example

use anyhow::Result;
use gcloud_identity_token::auth::get_token;
use gcloud_identity_token::config::load_creds;

#[tokio::main]
async fn main() -> Result<()> {
    let creds = load_creds()?;
    let token = get_token(&creds).await?;

    println!("Access token: {}", token.access_token);
    println!("ID token: {}", token.id_token);
    println!("Expires at:  {}", token.token_expiry);

    Ok(())
}