LinuxCommandLibrary

gcloud-auth

Authenticate gcloud CLI with Google Cloud

TLDR

Authorize Google Cloud access for the gcloud CLI with Google Cloud user credentials and set the current account as active

$ gcloud auth login
copy

Authorize Google Cloud access similar to gcloud auth login but with service account credentials
$ gcloud auth activate-service-account
copy

Manage Application Default Credentials (ADC) for Cloud Client Libraries
$ gcloud auth application-default
copy

Display a list of Google Cloud accounts currently authenticated on your system
$ gcloud auth list
copy

Display the current account's access token
$ gcloud auth print-access-token
copy

Remove access credentials for an account
$ gcloud auth revoke
copy

SYNOPSIS

gcloud auth <COMMAND> [--account=ACCOUNT] [--scopes=SCOPES] [GCLOUD_WIDE_FLAGS]

PARAMETERS

activate-service-account
    Authenticate using a service account key file.

application-default
    Manage Application Default Credentials (ADC).

configure-docker
    Configure Docker to use gcloud credentials.

list
    List all credentialed accounts (* active).

login
    Log in with user credentials (browser OAuth).

print-access-token
    Print access token for active account.

print-refresh-token
    Print refresh token for active account.

revoke
    Revoke credentials for accounts.

--account
    Override default active account.

--scopes
    Scopes for token (comma-separated).

--key-file
    Path to service account key file.

DESCRIPTION

The gcloud auth command group is essential for the Google Cloud CLI, handling OAuth 2.0 credentials to access GCP services securely. It supports user accounts via browser login, service accounts with JSON keys, and application default credentials (ADC) for libraries like client SDKs.

Primary operations include logging in interactively (gcloud auth login), activating service accounts (gcloud auth activate-service-account), listing accounts (gcloud auth list), printing tokens for scripts (gcloud auth print-access-token), and revoking access (gcloud auth revoke). It also configures Docker for credential passthrough and manages ADC separately.

Flags like --account switch contexts, --scopes limit permissions, and --key-file specify keys. This ensures compliance with least-privilege principles. Common in DevOps for CI/CD (e.g., GitHub Actions) and local setups. Requires gcloud SDK; integrates with gcloud init for project setup.

Security best practice: revoke tokens regularly and use short-lived credentials.

CAVEATS

Requires installed Google Cloud CLI. Headless login needs --no-launch-browser or service accounts. Key files must be secured; prefer Workload Identity.

EXAMPLES

gcloud auth login --update-adc
gcloud auth activate-service-account key.json --key-file-type=json
gcloud auth print-access-token | curl -H "Authorization: Bearer -" https://cloud.google.com

GLOBAL FLAGS

See gcloud topic flags for logging (--log-http), impersonation (--impersonate-service-account).

HISTORY

Introduced in Google Cloud SDK v0.1 (2013); evolved with OAuth2, ADC support (2015+), Docker integration (2017), and Workload Identity (2020+).

SEE ALSO

gcloud(1), gsutil(1)

Copied to clipboard