How do i completely logout of Google Cloud? `gcloud auth revoke --all` doesn't cut it

Question

Logging out of Google Cloud seems like it should be easy. If I run:

$ unset GOOGLE_APPLICATION_CREDENTIALS

$ gcloud auth revoke --all
Revoked credentials:
  - [my account]
$ gcloud auth list

No credentialed accounts.

To login, run:
  $ gcloud auth login `ACCOUNT`

It at first looks like I'm completely logged out of gcloud. But watch what happens when I open a Python shell:

>>> from google.cloud import secretmanager_v1beta1 as secretmanager
>>> client = secretmanager.SecretManagerServiceClient()
/Users/my/path/.venv/lib/python3.7/site-packages/google/auth/_default.py:66: UserWarning: Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about service accounts, see https://cloud.google.com/docs/authentication/
  warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING)
>>> path = client.secret_version_path(project="my-project-name", secret="my-secret", secret_version="latest")
>>> secret = client.access_secret_version(path)
>>> secret.payload.data.decode()
"Oh, no! I should be secret!"

As you can see, even though I ran gcloud auth revoke --all I'm still able to access Google Cloud through the Python SDK using user credentials that are stored somewhere. Is there a way to completely logout of Google Cloud on my laptop?

EDIT: to clarify further: there aren't any Google Cloud Service account JSON files saved on this computer, and I've unset the GOOGLE_APPLICATION_CREDENTIALS environment variable.

Answer 1

I'm not sure if this will help you in any way but I ran into a similar issue. Once I had revoked all credentials using the command gcloud auth revoke --all I still was able the execute scripts against my environment. In the end, I found the application default credentials file locating in ~/.config/gcloud/application_default_credentials.json. Renaming or deleting this file helped to revoke credentials completely. And now client library has no access to the environment:

  File "audit_test.py", line 8, in main
    client = resource_manager.Client()
  File "fake_path/python3.7/site-packages/google/cloud/resource_manager/client.py", line 72, in __init__
    super(Client, self).__init__(credentials=credentials, _http=_http)
  File "fake_path/python3.7/site-packages/google/cloud/client.py", line 132, in __init__
    credentials, _ = google.auth.default()
  File "fake_path/python3.7/site-packages/google/auth/_default.py", line 321, in default
    raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started

Answer 2

As commented above by AjahnCharles, gcloud auth application-default revoke works. Just hit the command and it will remove the application-default creds. See the difference here. I had the same problem and only this worked.

Edit:

Remember that you still need to call gcloud auth revoke --all as gcloud auth application-default revoke only removes the application-default creds.