I got this error for the first time this week and it’s really confusing me. Here’s the situation:

1. Logged into a Google Workspace Account (custom domain / not a Gmail.com) and …
2. Using Google Cloud Shell to …
3. Build Golang project that …
4. Calls Google Cloud API’s (such as Google Cloud Storage) …
5. Receive dreaded invalid_rapt even though no authentication is being done ????

P.S. – Been using this setup for about 4 months without running into this problem. Did something change?

What’s frustrating is that using Python still works to, say, list buckets in GCS:

python3 -c 'from google.cloud.storage import Client; print(list(Client().list_buckets()))'

But Golang does not:

package main

import (
    "context"
    "fmt"
    "log"

    "cloud.google.com/go/storage"
)

func main() {
    ctx := context.Background()
    client, err := storage.NewClient(ctx)
    if err != nil {
        log.Fatalf("Failed to create client: %v", err)
    }
    defer client.Close()

    it := client.Buckets(ctx, "surfey")
    fmt.Println("Buckets:")
    for {
        attrs, err := it.Next()
        if err != nil {
            log.Printf("Failed to list buckets: %v", err)
            break
        }
        fmt.Println(attrs.Name)
    }
}

$ ./gobuckets
Buckets:
2024/05/15 21:42:37 Failed to list buckets: Get “https://storage.googleapis.com/storage/v1/b?alt=json&pageToken=&prefix=&prettyPrint=false&project=surfey&projection=full”: oauth2: “invalid_grant” “reauth related error (invalid_rapt)” “https://support.google.com/a/answer/9368756”

However, I found I could work around the problem by setting the Reauthentication policy in Google Workspace Admin to Never require reauthentication … which feels like a very bad solution.

Unfortunately I cannot simply run gcloud auth application-default login because as I said I’m on Google Cloud Shell which technically runs as a Google Compute Instance and thus that gives me a warning:

n@cloudshell:~$ gcloud auth application-default login

You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.

If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?

Do you want to continue (Y/n)? 

This is a complicated question to solve and it’s wasted a lot of my time already. I wonder …

• Why is Python able to work but Golang is not (with a default client)?
• How would I actually re-authenticate when I’m not using local credentials?
• What “app” could I mark Trusted such that I don’t need to have blanket “no reauthentication” configuration?