Google Cloud stores your credentials in a database on your system. These credentials can then be used over and over. Google’s choice of a database means that the CLI and SDK tools can manage a huge number of credentials efficiently. Credentials are managed by configurations.

However, Google also chose not to encrypt the database storing these credentials and I think that this is a potential security weakness and should be reconsidered. IMHO all data should be encrypted. Data that authorizes or protects other data MUST be encrypted.

More details about configurations are in another article that I wrote.

A gcloud configuration is a set of properties that govern the behavior of gcloud and other Google Cloud SDK tools. When you first install gcloud on your desktop a configuration named default is created.

A gcloud configuration is managed by gcloud config configurations. To see the list of configurations on your system:

This will output a list of configurations present on your system:

The link between a set of configurations and a set of credentials in the database is via the account id.

The databases are stored in the following directory. Replace username with your Windows user name.

For Linux:

Credentials are stored in two files: access_tokens.db and credentials.db in this directory. Both of these files are an SQLite database. To see the contents of these databases I wrote two small Python programs.

ACCESS_TOKENS.DB

The database access_tokens.db contains a table named access_tokens with four columns account_id access_token token_expiry rapt_token.

Table schema:

The column account_id is the email address associated with the credentials.

The access_token is the access token used for authenticating requests, for example in CURL and REST APIs. In another article, I will cover in detail what access tokens and credentials look like and how to use them in your own software. I will also cover how to generate access tokens from credentials.

The token_expiry is the date that the token expires.

The rapt_token is involved with token refresh. I have not yet investigated how to use this.

This Python program will output the contents of the access_tokens.db database.

This is the output from the program. I have obfuscated the output to protect the access tokens.

CREDENTIALS.DB

The database credentials.db contains a table named credentials with two columns account_id value.

Table schema:

The column account_id is the email address associated with the credentials.

The column value is your credentials in Json format. I will cover the format of credentials in detail in another article.

This Python program will output the contents of the credentials.db database.

This is the output from the program. I have obfuscated the output to protect the credentials by deleting them from the listing.

There you have it. Details on where Google stores credentials on your system, the format of the database and what the credentials look like on your system.