[Updated]
Why doesn't gsutil use the Gcloud credentials as it should when running in a docker container on Cloud Shell?
According to [1] gsutil should use gcloud credentials when they are available:
Once credentials have been configured via gcloud auth, those credentials will be used regardless of whether the user has any boto configuration files (which are located at ~/.boto unless a different path is specified in the BOTO_CONFIG environment variable). However, gsutil will still look for credentials in the boto config file if a type of non-GCS credential is needed that's not stored in the gcloud credential store (e.g., an HMAC credential for an S3 account).
This seems to work fine in gcloud installs but not in docker images. The process I used in Cloud Shell is:
docker run -ti --name gcloud-config google/cloud-sdk gcloud auth login
docker run --rm -ti --volumes-from gcloud-config google/cloud-sdk gcloud compute instances list --project my_project
... (works ok)
docker run --rm -ti --volumes-from gcloud-config google/cloud-sdk gsutil ls gs://bucket/
ServiceException: 401 Anonymous caller does not have storage.objects.list access to bucket.
Regards
Kevin
[1] https://cloud.google.com/storage/docs/gsutil/addlhelp/CredentialTypesSupportingVariousUseCases
