Gcloud - How to use a service-account and a user account from the same machine?

I have created a service account for a coworker to upload files into my GCP bucket. I shared the service account credentials and the coworker activated them with the gcloud auth command.

$ gcloud auth activate-service-account --key-file bucket-creds.json
Activated service account credentials for: [upload@my-bucket.iam.gserviceaccount.com]

The account was validated with gcloud auth list:

$ gcloud auth list

ACTIVE ACCOUNT Credentialed Accounts
useraccount@company.com
* upload@my-bucket.iam.gserviceaccount.com

Now, when my coworker goes to upload something into my bucket with gsutil cp, they receive an error about having multiple credential types.

$ gsutil cp example.file gs://my-bucket/
Copying file://example.file [Content-Type=application/x-tar]...

CommandException: You have multiple types of configured credentials (['Oauth 2.0 User Account', 'OAuth 2.0 Service Account']), which is not supported. One common way this happens is if you run gsutil config to create credentials and later run gcloud auth, and create a second set of credentials. Your boto config path is: ['/data/home/user/.boto', '/data/home/user/.config/gcloud/legacy_credentials/upload@my-bucket.iam.gserviceaccount.com/.boto']. For more help, see "gsutil help creds".

I'm very confused at why gsutil is unable to handle multiple types of credentials. If the service account has been activated with gcloud auth, why is the gsutil cp command unable to use the credentials just because there are also other credentials available? Is it expected that we should delete the original user credentials and just use the service account credentials?

I have read the other questions on this topic and found them unhelpful. I understand there may be a need to change some environment variables, but I'm unsure how we should do this and if we will be able to retain the functionality of the original user account after the upload is completed. Is anyone able to explain why this does not work? I have had no issues in the past using user accounts AND service accounts during the same session, so long as the gcloud auth command was executed before other commands. .

My coworker tried logging back into their user account and initiating the upload, unsurprisingly this didn't work as their user account does not have the required permissions while the service account does.
$ gcloud config set account useraccount@company.com
Updated property [core/account].

$ gsutil cp example.file gs://my-bucket/

Copying file://example.file [Content-Type=application/x-tar]...

ResumableUploadAbortException: 403 useraccount@company.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).

Something is misconfigured on your system. I recommend running gcloud auth revoke until no more credentials are authorized. Run gsutil ls and verify that gsutil is not authorized. Run gcloud init. Then run gcloud auth activate-service-account.

If you want to configure gsutil to use a service account instead of the credentials configured by gcloud run the following two commands:

gcloud config set pass_credentials_to_gsutil false
gsutil config -e

You will be prompted for the full path to the service account JSON key file.

gsutil does not define any credential precedence, so if it finds multiple types of credentials present, it doesn't know which should be used.

The error is accurate -- it shows that you have a boto file in your home directory that was created for use with a standalone (non-gcloud) gsutil installation, as well as a boto file that was created by gcloud (the one for the service account). You should choose one gsutil installation method and stick with it -- either use standalone gsutil, or install gcloud and use the gsutil installation included with that. Mixing the two often results in configuration errors like this.

If using a gcloud-bundled gsutil installation, you should delete the config file(s) that were created for use with standalone gsutil (i.e. the one in your home directory), and just use gcloud to configure your active account and associated credentials (which, under the hood, actually just makes gcloud tell gsutil which boto config it should load).