GCP OAuth 2.0

This guide demonstrates a basic GCP driver setup: a single inventory namespace is populated with servers having been authorised via GCP OAuth 2.0 (configure GCP using OAuth 2.0).

For further configuration details, please refer to the documentation.

Directory structure

├── .gauth
│   └── your-secrets-file.json
└── bcome
    └── networks.yml

The networks.yml file contains your network configuration, whilst ‘your-secrets-file.json’ contains your OAuth 2.0 application secrets.


Any user requiring use of your OAuth 2.0 application will need the OAuth 2.0 application secrets.

Bcome will trigger an OAuth 2.0 authentication process with first usage (or should the access tokens returned from the OAuth 2.0 process have expired or been invalidated).


Access tokens are saved to the .gauth directory, the contents of which should not be added to source control.

Network Configuration

The networks.yml configuration is simple:

  type: inventory
  description: Entire WBZ estate

    type: gcp
    project: wbznet
    zone: europe-west1-b
    authentication_scheme: oauth
    secrets_filename: your-secrets-file.json
    - https://www.googleapis.com/auth/compute.readonly
    - https://www.googleapis.com/auth/cloud-platform
    filters: status:running

      - host_lookup: by_bcome_namespace
        namespace: bastion


For a full list of namespace attributes see namespace attributes.

Ascii Cast

The following Ascii Cast illustrates the above configuration:


To replay this Asciicast in your own terminal, install the asciinema package from https://asciinema.org/, and then enter the following in your terminal:

asciinema play https://asciinema.org/a/iskFuzue4LzAx6LIV9l44JGuy