From 972c8f36e65a528c499a2e50c2e5dd65267a9e8a Mon Sep 17 00:00:00 2001
From: YuviPanda <yuvipanda@gmail.com>
Date: Tue, 13 Jul 2021 16:02:12 +0530
Subject: [PATCH] Document authentication mechanisms for gcloud

Ref https://github.com/2i2c-org/pilot-hubs/issues/476
---
 docs/reference/tools.md | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/reference/tools.md b/docs/reference/tools.md
index 5c60bcbe7..19997e3c9 100644
--- a/docs/reference/tools.md
+++ b/docs/reference/tools.md
@@ -91,4 +91,21 @@ new files.
 [`google-cloud-sdk`](https://cloud.google.com/sdk/docs/install) is the primary
 commandline tool used to interact with Google Cloud Platform (GCP). Our deployment
 scripts use it to authenticate to GCP, and it is very helpful in [debugging node
-issues](../howto/operate/node-administration.md).
\ No newline at end of file
+issues](../howto/operate/node-administration.md).
+
+### Tips
+
+#### Authentication
+
+`gcloud` has two authentication flows, and that can get quite confusing since we
+work on a number of clusters with different Google credentials.
+
+[`gcloud auth login`](https://cloud.google.com/sdk/gcloud/reference/auth/login)
+provides credentials for `gcloud` commands like `gcloud compute instances list`
+or `gcloud container clusters list`.
+
+[`gcloud auth application-default login`](https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login)
+provides credentials for *other tools* (such as `helm`, `kubectl`, `sops`) to
+authenticate to Google Cloud Platform on your behalf. So if `sops` or
+`kubectl` is complaining about authentication, make sure you are authenticated
+correctly with `application-default`
\ No newline at end of file