I'm running a simple script that calls into kubernetes via the python client:

from kubernetes import client, config

# Configs can be set in Configuration class directly or using helper utility
config.load_kube_config()

v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
    print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))

.

However, it appears unable to get the correct credentials. I can use the kubectl command-line interface, which I've noticed populates my .kube/config file with an access-token and an expiry whenever I make a command (e.g., kubectl get pods).

As long as that token has not expired, my python script runs fine. However, once that token expires it doesn't seem to be able to refresh it, instead failing and telling me to set GOOGLE_APPLICATION_CREDENTIALS. Of course, when I created a service-account with a keyfile and pointed GOOGLE_APPLICATION_CREDENTIALS to that keyfile, it gave me the following error:

RefreshError: ('invalid_scope: Empty or missing scope not allowed.', u'{\n  "error" : "invalid_scope",\n  "error_description" : "Empty or missing scope not allowed."\n}')

Is there something wrong with my understanding of this client? Appreciate any help with this!

I am using the 3.0.0 release of the kubernetes python library. In case it is helpful, here is my .kube/config:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <CERTIFICATE_DATA>
    server: <IP_ADDRESS>
  name: <cluster_name>
contexts:
- context:
    cluster: <cluster_name>
    user: <cluster_name>
    name:  <cluster_name>
users:
- name: <cluster_name>
  user:
    auth-provider:
      config:
        access-token: <SOME_ACCESS_TOKEN>
        cmd-args: config config-helper --format=json
        cmd-path: /usr/lib/google-cloud-sdk/bin/gcloud
        expiry: 2017-11-10T03:20:19Z
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp