dayhoff-tools 1.0.8__py3-none-any.whl → 1.0.9__py3-none-any.whl

dayhoff_tools/cli/cloud_commands.py

@@ -2,14 +2,19 @@
 
 This module provides commands for authenticating with GCP and AWS from within
 development containers. It handles both immediate shell environment configuration
-via the --export flag and persistent configuration via shell RC files.
+via the --export flag (deprecated for GCP) and persistent configuration via
+shell RC files (AWS only) or gcloud config settings (GCP).
 
 The implementation focuses on:
 1. Unifying cloud authentication with the `dh` CLI tool
-2. Maintaining persistence across shell sessions via RC file modifications
+2. Maintaining persistence across shell sessions via RC file modifications (AWS)
+   or gcloud config (GCP).
 3. Providing similar capabilities to the shell scripts it replaces
+4. For GCP, leveraging `gcloud config` and Application Default Credentials (ADC)
+   updates for a streamlined, keyless, no-`eval` workflow.
 """
 
+import json
 import os
 import re
 import shutil
@@ -128,6 +133,129 @@ def _get_env_var(variable: str) -> Optional[str]:
 
 
 # --- GCP Functions ---
+
+# New approach: Use gcloud config settings instead of environment variables
+# for impersonation and project settings. This avoids modifying RC files
+# and the need for `eval "$(dh gcp use-... --export)"`.
+# ADC is updated during the initial `dh gcp login` for the user.
+# Subsequent ADC updates for impersonation or user mode must be done manually
+# if required by libraries, as the underlying gcloud commands can force interaction.
+
+
+def _get_short_name(account: str) -> str:
+    """Extracts a short name ('dma', 'devcon') from a GCP account email.
+
+    Args:
+        account: The full account string (e.g., 'dma@dayhofflabs.com',
+                 'devcon@...', 'None', 'Not authenticated').
+
+    Returns:
+        The short name or the original string if not a recognized email pattern.
+    """
+    if account == GCP_DEVCON_SA:
+        return "devcon"
+    if "@" in account:
+        # Attempt to get the part before @, common for user accounts
+        user_part = account.split("@")[0]
+        # You might want more specific logic here if user formats vary
+        # For now, assume simple user name like 'dma'
+        return user_part
+    # Handle special strings like 'None', 'Not authenticated', etc.
+    return account
+
+
+def _gcloud_set_config(key: str, value: str) -> Tuple[int, str, str]:
+    """Set a gcloud configuration value using `gcloud config set`.
+
+    Args:
+        key: The configuration key (e.g., 'project', 'auth/impersonate_service_account').
+        value: The value to set for the key.
+
+    Returns:
+        Tuple of (return_code, stdout_str, stderr_str) from _run_command.
+    """
+    gcloud_path = _find_executable("gcloud")
+    cmd = [gcloud_path, "config", "set", key, value, "--quiet"]
+    return _run_command(cmd, capture=True, check=False, suppress_output=True)
+
+
+def _gcloud_unset_config(key: str) -> Tuple[int, str, str]:
+    """Unset a gcloud configuration value using `gcloud config unset`.
+
+    Args:
+        key: The configuration key to unset.
+
+    Returns:
+        Tuple of (return_code, stdout_str, stderr_str) from _run_command.
+    """
+    gcloud_path = _find_executable("gcloud")
+    cmd = [gcloud_path, "config", "unset", key, "--quiet"]
+    return _run_command(cmd, capture=True, check=False, suppress_output=True)
+
+
+def _get_adc_status() -> str:
+    """Check the status and type of Application Default Credentials (ADC).
+
+    Attempts to determine the effective credential source, including the
+    default GCE metadata server fallback if no explicit config is found.
+
+    Returns:
+        A short string describing the ADC principal ('dma', 'devcon',
+        'default VM service account', 'Other/External', 'Not configured', etc.).
+    """
+    adc_file = (
+        Path.home() / ".config" / "gcloud" / "application_default_credentials.json"
+    )
+
+    # Check environment variable first (highest precedence after explicit file)
+    if _get_env_var("GOOGLE_APPLICATION_CREDENTIALS"):
+        # We don't know *what* key it points to without reading/parsing it.
+        return "Keyfile (GOOGLE_APPLICATION_CREDENTIALS)"
+
+    # Check explicit ADC JSON file
+    if adc_file.is_file():
+        try:
+            with open(adc_file, "r") as f:
+                adc_data = json.load(f)
+            cred_type = adc_data.get("type")
+
+            if cred_type == "authorized_user":
+                return "dma"  # Assuming 'dma' is the likely user
+            elif cred_type == "impersonated_service_account":
+                sa_url = adc_data.get("service_account_impersonation_url", "")
+                sa_match = re.search(r"serviceAccounts/([^:]+)", sa_url)
+                if sa_match and sa_match.group(1) == GCP_DEVCON_SA:
+                    return "devcon"
+                elif sa_match:
+                    return f"Other SA ({_get_short_name(sa_match.group(1))})"
+                else:
+                    return "devcon (?)"  # Likely devcon but failed parse
+            elif cred_type == "external_account":
+                return "Other/External"
+            elif cred_type == "service_account":
+                # This type in the file usually means it was created pointing
+                # to a specific key file, but not via the env var.
+                # Hard to know details without parsing more.
+                return "Keyfile (from ADC json)"
+            else:
+                return f"Unknown ({cred_type})"
+
+        except json.JSONDecodeError:
+            return "Invalid format"
+        except (IOError, PermissionError, Exception) as e:
+            print(f"Warning: Could not read ADC file {adc_file}: {e}", file=sys.stderr)
+            return "Error reading"
+
+    # If no env var and no JSON file, check for GCE default SA fallback
+    # We infer this by checking the *CLI*'s current user status
+    cli_user = _get_current_gcp_user()  # Reuse existing helper
+    if cli_user == "default VM service account":
+        return "default VM service account"  # ADC likely uses this via metadata
+
+    # If none of the above, ADC is likely unconfigured for this environment
+    return "Not configured"
+
+
 def _is_gcp_user_authenticated() -> bool:
     """Check if the current gcloud user authentication is valid and non-interactive.
 
@@ -151,7 +279,7 @@ def _is_gcp_user_authenticated() -> bool:
 
 
 def _get_current_gcp_user() -> str:
-    """Get the currently authenticated GCP user."""
+    """Get the currently authenticated GCP user or indicate default VM SA."""
     gcloud_path = _find_executable("gcloud")
     cmd = [
         gcloud_path,
@@ -165,74 +293,134 @@ def _get_current_gcp_user() -> str:
     account = stdout.strip()
     if account:
         if "compute@developer.gserviceaccount.com" in account:
-            return "Not authenticated (using VM service account)"
+            # Return a more user-friendly string for the default VM SA case
+            return "default VM service account"
         return account
     return "Not authenticated"
 
 
 def _get_current_gcp_impersonation() -> str:
-    """Get the current impersonated service account, if any."""
-    sa = _get_env_var("CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT")
+    """Get the current impersonated service account from gcloud config."""
+    gcloud_path = _find_executable("gcloud")
+    cmd = [
+        gcloud_path,
+        "config",
+        "get-value",
+        "auth/impersonate_service_account",
+        "--quiet",
+    ]
+    returncode, stdout, _ = _run_command(cmd, capture=True, check=False)
+    sa = stdout.strip() if returncode == 0 else ""
     return sa if sa else "None"
 
 
 def _run_gcloud_login() -> None:
-    """Run the gcloud auth login command."""
+    """Run the gcloud auth login command, updating ADC using device flow.
+
+    Always uses --update-adc to ensure libraries using ADC work immediately for the user.
+    Uses --no-launch-browser for headless environments.
+    """
     gcloud_path = _find_executable("gcloud")
-    print(f"{BLUE}Authenticating with Google Cloud...{NC}")
-    _run_command([gcloud_path, "auth", "login"])
-    print(f"{GREEN}Authentication complete.{NC}")
+    print(f"{BLUE}Authenticating with Google Cloud (will update ADC)...{NC}")
+
+    # Directly use device flow as remote browser consistently failed
+    cmd = [gcloud_path, "auth", "login", "--update-adc", "--no-launch-browser"]
+
+    print(f"{YELLOW}Initiating device flow login... Follow the instructions below.{NC}")
+    # Remove capture=True, rely on direct output and return code
+    returncode, _, _ = _run_command(
+        cmd,
+        capture=False,  # Changed from True
+        check=False,
+        suppress_output=False,
+    )
+
+    if returncode != 0:
+        # stderr is not captured, provide a generic error
+        print(
+            f"{RED}Login command failed (return code: {returncode}). Please check gcloud output above.{NC}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    print(f"{GREEN}User authentication complete. ADC updated for user account.{NC}")
 
 
 def _test_gcp_credentials(user: str, impersonation_sa: str) -> None:
-    """Test GCP credentials with and without impersonation."""
+    """Test GCP credentials. Only prints output on failure (to stderr)."""
     gcloud_path = _find_executable("gcloud")
-
-    print(f"\n{BLUE}Testing credentials...{NC}")
+    user_short = _get_short_name(user)
+    impersonation_short = _get_short_name(impersonation_sa)
 
     if user != "Not authenticated" and "Not authenticated" not in user:
+        cmd = [
+            gcloud_path,
+            "compute",
+            "zones",
+            "list",
+            "--limit=1",
+            f"--project={GCP_PROJECT_ID}",
+        ]
+
         if impersonation_sa != "None":
-            # Test user account first by temporarily unsetting impersonation
-            orig_impersonation = _get_env_var(
-                "CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT"
+            orig_sa = impersonation_sa
+            unset_rc, _, unset_err = _gcloud_unset_config(
+                "auth/impersonate_service_account"
             )
-            if orig_impersonation:
-                del os.environ["CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT"]
-
-            print(f"First with user account {user}:")
-            cmd = [gcloud_path, "compute", "zones", "list", "--limit=1"]
-            returncode, _, _ = _run_command(cmd, suppress_output=True, check=False)
-
-            if returncode == 0:
-                print(f"{GREEN}✓ User has direct GCP access{NC}")
-            else:
-                print(f"{YELLOW}✗ User lacks direct GCP access{NC}")
+            if unset_rc != 0:
+                # Failure to unset is an error state
+                print(
+                    f"{RED}✗ Test Error: Failed to temporarily disable impersonation: {unset_err}{NC}",
+                    file=sys.stderr,
+                )
 
-            # Restore impersonation and test with it
-            if orig_impersonation:
-                os.environ["CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT"] = (
-                    orig_impersonation
+            user_returncode, _, _ = _run_command(cmd, suppress_output=True, check=False)
+            if user_returncode != 0:
+                # Failure to access as user
+                print(
+                    f"{RED}✗ Test Failure: Cannot access resources directly as user '{user_short}'. Check roles/project.{NC}",
+                    file=sys.stderr,
                 )
 
-            print(f"Then impersonating {impersonation_sa}:")
-            returncode, _, _ = _run_command(cmd, suppress_output=True, check=False)
+            set_rc, _, set_err = _gcloud_set_config(
+                "auth/impersonate_service_account", orig_sa
+            )
+            if set_rc != 0:
+                # Failure to restore is an error state
+                print(
+                    f"{RED}✗ Test Error: Failed to restore impersonation config for {impersonation_short}: {set_err}{NC}",
+                    file=sys.stderr,
+                )
 
-            if returncode == 0:
-                print(f"{GREEN}✓ Successfully using devcon service account{NC}")
-            else:
+            impersonation_returncode, _, _ = _run_command(
+                cmd, suppress_output=True, check=False
+            )
+            if impersonation_returncode != 0:
+                # Failure to access while impersonating
                 print(
-                    f"{RED}Failed to access GCP resources with impersonation. Check permissions.{NC}"
+                    f"{RED}✗ Test Failure: Cannot access resources impersonating '{impersonation_short}'. Check permissions/config.{NC}",
+                    file=sys.stderr,
                 )
+
         else:
-            # Test user account directly (no impersonation)
-            print(f"Using user account {user} (no impersonation):")
-            cmd = [gcloud_path, "compute", "zones", "list", "--limit=1"]
+            # Test user account directly (no impersonation config)
             returncode, _, _ = _run_command(cmd, suppress_output=True, check=False)
-
-            if returncode == 0:
-                print(f"{GREEN}✓ Successfully using personal account{NC}")
-            else:
-                print(f"{RED}Failed to access GCP resources. Check permissions.{NC}")
+            if returncode != 0:
+                # Failure to access as user
+                print(
+                    f"{RED}✗ Test Failure: Cannot access resources directly as user '{user_short}'. Check roles/project.{NC}",
+                    file=sys.stderr,
+                )
+            # Success: No output
+            # else:
+            #    print(f"{GREEN}✓ Direct access as user {user_short}: OK{NC}")
+            # Correctly indented pass statement if no action needed on success
+            pass
+    else:
+        # If user isn't authenticated at all, maybe print a warning?
+        # print(f"{YELLOW}User not authenticated, skipping credential test.{NC}")
+        # Decided against this to keep output minimal unless actual test fails.
+        pass  # Explicit pass for the outer else
 
 
 # --- AWS Functions ---
@@ -319,160 +507,343 @@ def _get_available_aws_profiles() -> List[str]:
 
 
 # --- Typer Applications ---
-gcp_app = typer.Typer(help="Manage GCP authentication and impersonation.")
-aws_app = typer.Typer(help="Manage AWS SSO authentication.")
+gcp_app = typer.Typer(
+    help="Manage GCP authentication using gcloud config and ADC. (RC file/env var methods are deprecated)."
+)
+aws_app = typer.Typer(help="Manage AWS SSO authentication using RC files.")
 
 
 # --- GCP Commands ---
 @gcp_app.command("status")
 def gcp_status():
-    """Show current GCP authentication and impersonation status."""
-    user_account = _get_current_gcp_user()
-    impersonated_sa = _get_current_gcp_impersonation()
-
-    print(f"{BLUE}GCP Status:{NC}")
-    print(f"User account:       {GREEN}{user_account}{NC}")
-    print(f"Service account:    {GREEN}{impersonated_sa}{NC}")
-    print(f"Project:            {GREEN}{GCP_PROJECT_ID}{NC}")
+    """Show active GCP credentials for CLI and Libraries/ADC."""
+    cli_user = _get_current_gcp_user()
+    cli_impersonation = _get_current_gcp_impersonation()
+    adc_principal = _get_adc_status()
+
+    # Determine active principal for CLI
+    if cli_impersonation != "None":
+        cli_active_short = _get_short_name(cli_impersonation)
+    else:
+        cli_active_short = _get_short_name(cli_user)
+
+    # Get short name for ADC principal
+    adc_active_short = _get_short_name(adc_principal)
+
+    # Define a fixed width for the principal name field
+    name_width = 10
+
+    print(
+        f"Using {GREEN}{cli_active_short:<{name_width}}{NC} for {BLUE}gcloud CLI{NC} (gcloud, gsutil)"
+    )
     print(
-        f"Mode:               {GREEN}{'Service account impersonation' if impersonated_sa != 'None' else 'Personal account'}{NC}"
+        f"Using {GREEN}{adc_active_short:<{name_width}}{NC} for {BLUE}Libraries/Tools{NC} (warehouse, Terraform, Python clients)\n"
     )
 
-    _test_gcp_credentials(user_account, impersonated_sa)
+    # Run tests silently, they will print to stderr only on failure
+    _test_gcp_credentials(cli_user, cli_impersonation)
 
 
 @gcp_app.command("login")
 def gcp_login():
-    """Authenticate with GCP using your Google account."""
-    _run_gcloud_login()
-    print("\nTo activate devcon service account impersonation, run:")
-    print(f'  {YELLOW}eval "$(dh gcp use-devcon --export)"{NC}')
-    print("To use your personal account permissions, run:")
-    print(f'  {YELLOW}eval "$(dh gcp use-user --export)"{NC}')
+    """Authenticate user & configure CLI to impersonate devcon SA."""
+    # Step 1: Authenticate the user (updates ADC for user)
+    _run_gcloud_login()  # Uses device flow
+
+    # Step 2: Configure gcloud CLI for devcon SA impersonation
+    print(f"\n{BLUE}Configuring gcloud CLI to impersonate {GCP_DEVCON_SA}...{NC}")
+    set_sa_rc, _, set_sa_err = _gcloud_set_config(
+        "auth/impersonate_service_account", GCP_DEVCON_SA
+    )
+    if set_sa_rc != 0:
+        print(
+            f"{RED}Error setting impersonation config: {set_sa_err}{NC}",
+            file=sys.stderr,
+        )
+        print(f"{YELLOW}Warning: CLI impersonation failed to configure.{NC}")
+        # Attempt to show status anyway before exiting command
+        print("\n{BLUE}Current status:{NC}")
+        gcp_status()
+        return
+
+    set_proj_rc, _, set_proj_err = _gcloud_set_config("project", GCP_PROJECT_ID)
+    if set_proj_rc != 0:
+        print(f"{RED}Error setting project config: {set_proj_err}{NC}", file=sys.stderr)
+        # Continue, but warn user
+
+    # Step 3: Print configuration options
+    print(f"\n{GREEN}Login successful. CLI configured for devcon impersonation.{NC}")
+    print(f"{BLUE}--- Common Configuration Commands ---\n{NC}")
+
+    cmd_width = 25  # Adjusted width for dh commands
+
+    print(f"  {BLUE}Set CLI to use User:{NC}")
+    print(f"    {YELLOW}{f'dh gcp use-user':<{cmd_width}}{NC}")
+
+    print(f"  {BLUE}Set CLI to use Devcon SA:{NC}")
+    print(
+        f"    {YELLOW}{f'dh gcp use-devcon':<{cmd_width}}{NC} {GREEN}(Current default after login){NC}"
+    )
+
+    print(f"  {BLUE}Set Libraries/Tools (ADC) to use User:{NC}")
+    print(f"    {YELLOW}{f'dh gcp use-user-adc':<{cmd_width}}{NC}")
+
+    print(f"  {BLUE}Set Libraries/Tools (ADC) to use Devcon SA:{NC}")
+    print(f"    {YELLOW}{f'dh gcp use-devcon-adc':<{cmd_width}}{NC}")
+
+    # Step 4: Show current status automatically
+    print(f"\n{BLUE}--- Current Status ---{NC}")
+    gcp_status()
 
 
 @gcp_app.command("use-devcon")
 def gcp_use_devcon(
     export: bool = typer.Option(
-        False, "--export", "-x", help="Print export commands for the current shell."
+        False,
+        "--export",
+        "-x",
+        help="Deprecated. Has no effect. Settings are applied directly via gcloud config.",
+        hidden=True,
     ),
 ):
-    """Configure gcloud CLI to impersonate the devcon SA by setting RC file variables.
+    """Configure gcloud CLI to impersonate the devcon SA.
 
-    NOTE: This command DOES NOT automatically update Application Default Credentials (ADC).
-    After running this, or after sourcing the export commands, you may need to run:
-    'gcloud auth application-default login --impersonate-service-account=...' manually
-    if you need libraries (like DVC) to use these credentials.
+    This command updates gcloud configuration settings directly.
+    It DOES NOT modify shell RC files or require `eval`.
+    It DOES NOT automatically update Application Default Credentials (ADC) for impersonation.
 
-    Ensures the primary user login is valid first to allow potential impersonation.
+    Ensures the primary user login is valid first.
     """
+    if export:
+        print(
+            f"{YELLOW}Warning: --export/-x is deprecated and has no effect. "
+            f"GCP settings are now managed via gcloud config.{NC}",
+            file=sys.stderr,
+        )
+
     if not _is_gcp_user_authenticated():
         print(
             f"{RED}Error: GCP user authentication is invalid or requires interactive login.{NC}",
             file=sys.stderr,
         )
         print(
-            f"{YELLOW}Please run 'gcloud auth login' interactively first, then try this command again.{NC}",
+            f"{YELLOW}Please run 'dh gcp login' interactively first, then try this command again.{NC}",
             file=sys.stderr,
         )
         sys.exit(1)
 
-    # Set gcloud CLI impersonation (persisted to RC files)
-    _modify_rc_files("CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT", f"'{GCP_DEVCON_SA}'")
-    _modify_rc_files("GOOGLE_CLOUD_PROJECT", f"'{GCP_PROJECT_ID}'")
-
-    if export:
-        # Print export commands for the current shell (for gcloud CLI)
-        print(f"export CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT='{GCP_DEVCON_SA}'")
-        print(f"export GOOGLE_CLOUD_PROJECT='{GCP_PROJECT_ID}'")
+    print(f"{BLUE}Configuring gcloud CLI to impersonate {GCP_DEVCON_SA}...{NC}")
 
-        # Print confirmation and instructions for ADC to stderr
+    # Set gcloud CLI impersonation via config
+    set_sa_rc, _, set_sa_err = _gcloud_set_config(
+        "auth/impersonate_service_account", GCP_DEVCON_SA
+    )
+    if set_sa_rc != 0:
         print(
-            f"{GREEN}GCP gcloud CLI impersonation for '{GCP_DEVCON_SA}' exported.{NC}",
+            f"{RED}Error setting impersonation config: {set_sa_err}{NC}",
             file=sys.stderr,
         )
+        sys.exit(1)
+
+    set_proj_rc, _, set_proj_err = _gcloud_set_config("project", GCP_PROJECT_ID)
+    if set_proj_rc != 0:
+        print(f"{RED}Error setting project config: {set_proj_err}{NC}", file=sys.stderr)
+        # Continue, but warn user
+
+    # Check for lingering legacy environment variable
+    if _get_env_var("CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT"):
         print(
-            f"{YELLOW}NOTE: ADC file not updated by export. To update ADC for libraries, run:{NC}",
+            f"{YELLOW}Warning: Legacy env var CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT is set.{NC}",
             file=sys.stderr,
         )
         print(
-            f"{YELLOW}  gcloud auth application-default login --impersonate-service-account={GCP_DEVCON_SA}{NC}",
+            f"{YELLOW}         This may override gcloud config. Consider running:{NC}",
             file=sys.stderr,
         )
-    else:
-        # Print confirmation
-        print(
-            f"{GREEN}RC files updated to use devcon SA for future gcloud CLI sessions.{NC}"
-        )
-        print(f"To apply gcloud CLI settings in current shell, run:")
-        print(f'  {YELLOW}eval "$(dh gcp use-devcon --export)"{NC}')
-        print(
-            f"{YELLOW}NOTE: ADC file not updated. To update ADC for libraries, run:{NC}"
-        )
         print(
-            f"{YELLOW}  gcloud auth application-default login --impersonate-service-account={GCP_DEVCON_SA}{NC}"
+            f"{YELLOW}         unset CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT{NC}",
+            file=sys.stderr,
         )
 
+    print(f"\n{GREEN}GCP CLI configured to use devcon SA ({GCP_DEVCON_SA}).{NC}")
+    print(f"Project set to: {GCP_PROJECT_ID}")
+    print(
+        f"{YELLOW}NOTE: If libraries/tools (e.g., for DVC, Terraform) need to use impersonation, update Application Default Credentials (ADC) manually:{NC}"
+    )
+    print(
+        f"{YELLOW}        gcloud auth application-default login --impersonate-service-account={GCP_DEVCON_SA}{NC}"
+    )
+    print(f"Run 'dh gcp status' to verify CLI configuration.")
+
 
 @gcp_app.command("use-user")
 def gcp_use_user(
     export: bool = typer.Option(
-        False, "--export", "-x", help="Print export commands for the current shell."
+        False,
+        "--export",
+        "-x",
+        help="Deprecated. Has no effect. Settings are applied directly via gcloud config.",
+        hidden=True,
     ),
 ):
-    """Configure gcloud CLI to use the personal user account by setting RC file variables.
+    """Configure gcloud CLI to use the personal user account via gcloud config.
 
-    NOTE: This command DOES NOT automatically update Application Default Credentials (ADC).
-    After running this, or after sourcing the export commands, you may need to run:
-    'gcloud auth application-default login' manually
-    if you need libraries (like DVC) to use your personal credentials.
+    This command updates gcloud configuration settings directly.
+    It DOES NOT modify shell RC files or require `eval`.
+    It DOES NOT automatically update Application Default Credentials (ADC).
 
     Ensures the primary user login is valid first.
     """
+    if export:
+        print(
+            f"{YELLOW}Warning: --export/-x is deprecated and has no effect. "
+            f"GCP settings are now managed via gcloud config.{NC}",
+            file=sys.stderr,
+        )
+
     if not _is_gcp_user_authenticated():
         print(
             f"{RED}Error: GCP user authentication is invalid or requires interactive login.{NC}",
             file=sys.stderr,
         )
         print(
-            f"{YELLOW}Please run 'gcloud auth login' interactively first, then try this command again.{NC}",
+            f"{YELLOW}Please run 'dh gcp login' interactively first, then try this command again.{NC}",
             file=sys.stderr,
         )
         sys.exit(1)
 
-    # Unset gcloud CLI impersonation (persisted to RC files)
-    _modify_rc_files("CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT", None)
-    _modify_rc_files("GOOGLE_CLOUD_PROJECT", f"'{GCP_PROJECT_ID}'")
+    print(f"{BLUE}Configuring gcloud CLI to use personal user account...{NC}")
 
-    if export:
-        # Print export commands for the current shell (for gcloud CLI)
-        print(f"unset CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT")
-        print(f"export GOOGLE_CLOUD_PROJECT='{GCP_PROJECT_ID}'")
+    # Unset gcloud CLI impersonation via config
+    unset_sa_rc, _, unset_sa_err = _gcloud_unset_config(
+        "auth/impersonate_service_account"
+    )
+    if unset_sa_rc != 0:
+        print(
+            f"{RED}Error unsetting impersonation config: {unset_sa_err}{NC}",
+            file=sys.stderr,
+        )
+        # Continue, but warn user
 
-        # Print confirmation and instructions for ADC to stderr
+    set_proj_rc, _, set_proj_err = _gcloud_set_config("project", GCP_PROJECT_ID)
+    if set_proj_rc != 0:
+        print(f"{RED}Error setting project config: {set_proj_err}{NC}", file=sys.stderr)
+        # Continue, but warn user
+
+    # Check for lingering legacy environment variable
+    if _get_env_var("CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT"):
         print(
-            f"{GREEN}GCP gcloud CLI impersonation unset and exported.{NC}",
+            f"{YELLOW}Warning: Legacy env var CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT is set.{NC}",
             file=sys.stderr,
         )
         print(
-            f"{YELLOW}NOTE: ADC file not updated by export. To update ADC for libraries, run:{NC}",
+            f"{YELLOW}         This may interfere with using your personal account. Consider running:{NC}",
             file=sys.stderr,
         )
         print(
-            f"{YELLOW}  gcloud auth application-default login{NC}",
+            f"{YELLOW}         unset CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT{NC}",
             file=sys.stderr,
         )
+
+    print(f"\n{GREEN}GCP CLI configured to use personal account.{NC}")
+    print(f"Project set to: {GCP_PROJECT_ID}")
+    print(
+        f"{YELLOW}NOTE: If libraries/tools (e.g., for DVC, Terraform) need to use impersonation, update Application Default Credentials (ADC) manually:{NC}"
+    )
+    print(f"{YELLOW}        gcloud auth application-default login{NC}")
+    print(f"Run 'dh gcp status' to verify CLI configuration.")
+
+
+# === NEW ADC Commands ===
+
+
+@gcp_app.command("use-user-adc")
+def gcp_use_user_adc():
+    """Configure Libraries/Tools (ADC) to use your PERSONAL account."""
+    if not _is_gcp_user_authenticated():
+        print(
+            f"{RED}Error: GCP user authentication is invalid or requires interactive login.{NC}",
+            file=sys.stderr,
+        )
+        print(
+            f"{YELLOW}Please run 'dh gcp login' interactively first.{NC}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    print(f"{BLUE}Attempting to configure ADC for your personal user account...{NC}")
+    print(
+        f"{YELLOW}This may require you to complete a browser authentication flow.{NC}"
+    )
+
+    gcloud_path = _find_executable("gcloud")
+    cmd = [gcloud_path, "auth", "application-default", "login"]
+
+    # Allow interaction, don't capture output
+    returncode, _, _ = _run_command(
+        cmd, capture=False, check=False, suppress_output=False
+    )
+
+    if returncode == 0:
+        print(f"\n{GREEN}Successfully configured ADC for personal user account.{NC}")
+        print(f"{BLUE}--- Current Status ---{NC}")
+        gcp_status()  # Show status after successful change
     else:
-        # Print confirmation
         print(
-            f"{GREEN}RC files updated to use personal account for future gcloud CLI sessions.{NC}"
+            f"{RED}Failed to configure ADC (Return code: {returncode}). Check messages above.{NC}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+
+@gcp_app.command("use-devcon-adc")
+def gcp_use_devcon_adc():
+    """Configure Libraries/Tools (ADC) to use the DEVCON service account."""
+    if not _is_gcp_user_authenticated():
+        print(
+            f"{RED}Error: GCP user authentication is invalid or requires interactive login.{NC}",
+            file=sys.stderr,
+        )
+        print(
+            f"{YELLOW}Please run 'dh gcp login' interactively first.{NC}",
+            file=sys.stderr,
         )
-        print(f"To apply gcloud CLI settings in current shell, run:")
-        print(f'  {YELLOW}eval "$(dh gcp use-user --export)"{NC}')
+        sys.exit(1)
+
+    print(f"{BLUE}Attempting to configure ADC for devcon SA ({GCP_DEVCON_SA})...{NC}")
+    print(
+        f"{YELLOW}This may require you to complete a browser authentication flow.{NC}"
+    )
+
+    gcloud_path = _find_executable("gcloud")
+    cmd = [
+        gcloud_path,
+        "auth",
+        "application-default",
+        "login",
+        f"--impersonate-service-account={GCP_DEVCON_SA}",
+    ]
+
+    # Allow interaction, don't capture output
+    returncode, _, _ = _run_command(
+        cmd, capture=False, check=False, suppress_output=False
+    )
+
+    if returncode == 0:
         print(
-            f"{YELLOW}NOTE: ADC file not updated. To update ADC for libraries, run:{NC}"
+            f"\n{GREEN}Successfully configured ADC for devcon SA ({GCP_DEVCON_SA}).{NC}"
         )
-        print(f"{YELLOW}  gcloud auth application-default login{NC}")
+        print(f"{BLUE}--- Current Status ---{NC}")
+        gcp_status()  # Show status after successful change
+    else:
+        print(
+            f"{RED}Failed to configure ADC (Return code: {returncode}). Check messages above.{NC}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+
+# === End NEW ADC Commands ===
 
 
 # --- AWS Commands ---

{dayhoff_tools-1.0.8.dist-info → dayhoff_tools-1.0.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: dayhoff-tools
-Version: 1.0.8
+Version: 1.0.9
 Summary: Common tools for all the repos at Dayhoff Labs
 Author: Daniel Martin-Alarcon
 Author-email: dma@dayhofflabs.com

{dayhoff_tools-1.0.8.dist-info → dayhoff_tools-1.0.9.dist-info}/RECORD

@@ -2,7 +2,7 @@ dayhoff_tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dayhoff_tools/chemistry/standardizer.py,sha256=uMn7VwHnx02nc404eO6fRuS4rsl4dvSPf2ElfZDXEpY,11188
 dayhoff_tools/chemistry/utils.py,sha256=jt-7JgF-GeeVC421acX-bobKbLU_X94KNOW24p_P-_M,2257
 dayhoff_tools/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dayhoff_tools/cli/cloud_commands.py,sha256=Z_zCtZYH0thljiOSkr1fjFZal7a8DZtY-dH7uZEa4YI,22571
+dayhoff_tools/cli/cloud_commands.py,sha256=KiYEuD3nSg8QPWBYfrhdze2La_CJe4iqK-8uOAHyS8U,35827
 dayhoff_tools/cli/main.py,sha256=E1-3rZ26LMgJVKBz6CdJwsHs9fJsSGa2_9tot3hNgz4,3604
 dayhoff_tools/cli/swarm_commands.py,sha256=5EyKj8yietvT5lfoz8Zx0iQvVaNgc3SJX1z2zQR6o6M,5614
 dayhoff_tools/cli/utility_commands.py,sha256=AsZMpvUNP2xjn5cZ9_BrBNHggfuy6PLwlHw1WP0d7o0,9602
@@ -25,7 +25,7 @@ dayhoff_tools/sqlite.py,sha256=jV55ikF8VpTfeQqqlHSbY8OgfyfHj8zgHNpZjBLos_E,18672
 dayhoff_tools/structure.py,sha256=ufN3gAodQxhnt7psK1VTQeu9rKERmo_PhoxIbB4QKMw,27660
 dayhoff_tools/uniprot.py,sha256=BZYJQF63OtPcBBnQ7_P9gulxzJtqyorgyuDiPeOJqE4,16456
 dayhoff_tools/warehouse.py,sha256=TqV8nex1AluNaL4JuXH5zuu9P7qmE89lSo6f_oViy6U,14965
-dayhoff_tools-1.0.8.dist-info/METADATA,sha256=Lq5sNvPmJa0zu7EMKyS8ID0moWaqUhoQpbcb1kCphco,1930
-dayhoff_tools-1.0.8.dist-info/WHEEL,sha256=fGIA9gx4Qxk2KDKeNJCbOEwSrmLtjWCwzBz351GyrPQ,88
-dayhoff_tools-1.0.8.dist-info/entry_points.txt,sha256=iAf4jteNqW3cJm6CO6czLxjW3vxYKsyGLZ8WGmxamSc,49
-dayhoff_tools-1.0.8.dist-info/RECORD,,
+dayhoff_tools-1.0.9.dist-info/METADATA,sha256=z5v8zbt4z_B5283bqkkFlybQox_tZacU-Z6JPNyg1vc,1930
+dayhoff_tools-1.0.9.dist-info/WHEEL,sha256=fGIA9gx4Qxk2KDKeNJCbOEwSrmLtjWCwzBz351GyrPQ,88
+dayhoff_tools-1.0.9.dist-info/entry_points.txt,sha256=iAf4jteNqW3cJm6CO6czLxjW3vxYKsyGLZ8WGmxamSc,49
+dayhoff_tools-1.0.9.dist-info/RECORD,,