Enable Gemini CLI to reuse user's auth in Cloud Shell #3070
Conversation
Introduces a non-interactive authentication flow for the Gemini CLI when running in a Cloud Shell environment. This change streamlines the user experience by automatically selecting an authentication method based on the environment, rather than prompting the user. The new authentication logic is as follows: 1. If a user has explicitly set an 'selectedAuthType' in their 'settings.json', that setting will be respected. 2. If no 'selectedAuthType' is set, the CLI will attempt to authenticate using the following methods in order: 1. Gemini API key, if the 'GEMINI_API_KEY' environment variable is set. 2. Vertex AI, if the 'GOOGLE_GENAI_USE_VERTEXAI' environment variable is set to 'true'. 3. Application Default Credentials (ADC) as a fallback. Cloud Shell has special logic to provide ADC for the logged in user identity via its metadata server; this enables users to authenticate using the same credentials with which they logged into Cloud Shell without an extra login step. 3. The selected authentication type is not persisted to 'settings.json' when using the automatic flow, but OAuth credentials are still cached to 'oauth_creds.json' to allow for token refreshes.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @mboshernitsan, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request significantly improves the authentication experience for the Gemini CLI when operating within Google Cloud Shell. It introduces logic to automatically detect the Cloud Shell environment and leverage Application Default Credentials (ADC) for seamless authentication, prioritizing existing user credentials. This change aims to reduce friction for users by allowing them to utilize their Cloud Shell login without additional configuration, while also refining the default authentication type selection and enhancing test coverage for these new flows.
Highlights
- Enhanced Cloud Shell Authentication: The Gemini CLI now intelligently detects if it's running in Google Cloud Shell. If so, it prioritizes authentication methods by attempting to leverage Application Default Credentials (ADC) first, allowing users to reuse their existing Cloud Shell login without manual intervention or explicit API keys.
- Prioritized Auth Type Selection: Within the Cloud Shell environment, the CLI now cascades through
GEMINI_API_KEY,Vertex AI, andGoogle Loginas default authentication types if no explicit type is set. Crucially, these default choices are not persisted to the user's settings file when in Cloud Shell. - Application Default Credentials (ADC) Integration: The core
oauth2module has been updated to integrate with theComputeclient fromgoogle-auth-library. This enables the CLI to acquire credentials seamlessly via ADC in environments like Cloud Shell, providing a more native and secure authentication experience. - Improved Error Handling and Test Coverage: Error handling for retrieving Google Account IDs from existing credentials has been made non-fatal, allowing the application to continue. Additionally, comprehensive new tests have been added to validate the Cloud Shell authentication flow, covering scenarios for cached credentials, successful ADC usage, and ADC failures.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with π and π on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. β©
There was a problem hiding this comment.
Code Review
This pull request enables the Gemini CLI to use a user's existing authentication within Cloud Shell via Application Default Credentials (ADC). A high-priority suggestion is to cache credentials obtained through ADC when they are refreshable to improve performance.
|
|
||
| // Do not cache creds in this case; note that Compute client will handle its own refresh | ||
| return computeClient; |
There was a problem hiding this comment.
The current implementation doesn't cache credentials obtained via Application Default Credentials (ADC). ADC can resolve to different credential types. While credentials from a metadata server are short-lived and shouldn't be cached, ADC can also use user credentials from gcloud auth application-default login, which do contain a refresh token and are long-lived.
Not caching these refreshable credentials is a missed optimization. It forces the CLI to run the full ADC flow on every execution, which can be slow. Caching credentials when a refresh_token is present would align with user expectations and improve performance.
// If ADC provides refreshable credentials (e.g. from gcloud user), cache them for efficiency.
if (computeClient.credentials?.refresh_token) {
await cacheCredentials(computeClient.credentials);
}
return computeClient;
gemini-cli
bot
added
the
status/need-issue
TLDR
Dive Deeper
Reviewer Test Plan
Testing Matrix
Linked issues / bugs