I'm running a script that calls into kubernetes via the python client. However, it appears unable to get the correct credentials. I /can/ use the kubectl command-line interface, which I've noticed populates my .kube/config file with an access-token and an expiry whenever I make a command (e.g., kubectl get pods). As long as that token has not expired, my python script runs fine. However, once that token expires it doesn't seem to be able to refresh it, instead failing and telling me to set GOOGLE_APPLICATION_CREDENTIALS.

Of course, when I created a service-account with a keyfile and pointed GOOGLE_APPLICATION_CREDENTIALS to that keyfile, it gave me the following error:

RefreshError: ('invalid_scope: Empty or missing scope not allowed.', u'{\n  "error" : "invalid_scope",\n  "error_description" : "Empty or missing scope not allowed."\n}')

Although from the code it seems like you can provide scopes to credentials, I am trying to create a Kubernetes client via kubernetes.config.kube_config.new_client_from_config, which seems to create credentials without scopes.

Is there something wrong with my understanding of this client? Appreciate any help with this!

I am using the 3.0.0 release of the kubernetes python library. In case it is helpful, here is my .kube/config:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <CERTIFICATE_DATA>
    server: <IP_ADDRESS>
  name: <cluster_name>
contexts:
- context:
    cluster: <cluster_name>
    user: <cluster_name>
    name:  <cluster_name>
users:
- name: <cluster_name>
  user:
    auth-provider:
      config:
        access-token: <SOME_ACCESS_TOKEN>
        cmd-args: config config-helper --format=json
        cmd-path: /usr/lib/google-cloud-sdk/bin/gcloud
        expiry: 2017-11-10T03:20:19Z
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp