gcloud alpha auth application-default login

NAME
gcloud alpha auth application-default login - acquire new user credentials to use for Application Default Credentials
SYNOPSIS
gcloud alpha auth application-default login [ACCOUNT] [--no-browser] [--client-id-file=CLIENT_ID_FILE] [--disable-quota-project] [--no-launch-browser] [--login-config=LOGIN_CONFIG] [--scopes=SCOPE,[SCOPE,…]] [GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA) Obtains user access credentials via a web flow and puts them in the well-known location for Application Default Credentials (ADC).

This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials. The credentials will apply to all API calls that make use of the Application Default Credentials client library. Do not set the GOOGLE_APPLICATION_CREDENTIALS environment variable if you want to use the credentials generated by this command in your local development. This command tries to find a quota project from gcloud's context and write it to ADC so that Google client libraries can use it for billing and quota. Alternatively, you can use the --client-id-file flag. In this case, the project owning the client ID will be used for billing and quota. You can create the client ID file at https://console.cloud.google.com/apis/credentials.

This command has no effect on the user account(s) set up by the gcloud auth login command.

Any credentials previously generated by gcloud auth application-default login will be overwritten.

EXAMPLES
If you want your local application to temporarily use your own user credentials for API access, run:
gcloud alpha auth application-default login

If you'd like to login by passing in a file containing your own client id, run:

gcloud alpha auth application-default login --client-id-file=clientid.json
POSITIONAL ARGUMENTS
[ACCOUNT]
User account used for authorization. When the account specified has valid credentials in the local credential store these credentials will be re-used. Otherwise new ones will be fetched and replace any stored credential. This caching behavior is only available for user credentials.
FLAGS
--no-browser
If you want to authorize the client libraries on a machine that doesn't have a browser and you can install the gcloud CLI on another machine with a browser, use the --no-browser flag.

1. To initiate authorization, enter the following command:

gcloud auth application-default login --no-browser

2. Copy the long command that begins with gcloud auth application-default login --remote-bootstrap=".

3. Paste and run this command on the command line of a different, trusted machine that has local installations of both a web browser and the gcloud CLI tool version 372.0 or later.

4. Copy the long URL output from the machine with the web browser.

5. Paste the long URL back to the first machine under the prompt, "Enter the output of the above command", and press Enter to complete the authorization.

--client-id-file=CLIENT_ID_FILE
A file containing your own client id to use to login. If --client-id-file is specified, the quota project will not be written to ADC.
--disable-quota-project
By default, the project in billing/quota_project or core/project will be written to application default credentials (ADC) as the quota project. When both are set, billing/quota_project takes precedence. You can use --billing-project to overwrite the value in billing/quota_project. Similarly, you can use --project to overwrite the value in core/project. Client libraries will send it to services and use it for quota and billing. To be able to use a project as the quota project, the account in ADC must have the serviceusage.services.use permission on the project. This permission is granted to the project editor and project owner. You can create custom roles to include this permission.

Note that some cloud services may ignore this quota project and still bill the project owning the resources.

In the following situations, you may use this flag to skip setting the quota project:

  • The account in ADC cannot be granted the project editor or owner role or any role with the serviceusage.services.use permission.
  • You always want to bill the project owning the resources.
--launch-browser
Launch a browser for authorization. If not enabled or if it is not possible to launch a browser, prints a URL to standard output to be copied.

If you want to authorize the client libraries on a machine that doesn't have a browser and you cannot install the gcloud CLI on another machine with a browser, use the --no-launch-browser flag. The --no-launch-browser flag prevents the command from automatically opening a web browser.

1. To initiate authorization, enter the following command:

gcloud auth application-default login --no-launch-browser

2. Copy the long URL that begins with https://accounts.google.com/o/oauth2/auth...

3. Paste this URL into the browser of a different, trusted machine that has a web browser.

4. Copy the authorization code from the machine with the web browser.

5. Paste the authorization code back to the first machine at the prompt, "Enter authorization code", and press Enter to complete the authorization.

Enabled by default, use --no-launch-browser to disable.

--login-config=LOGIN_CONFIG
Path to the login configuration file (workforce pool, generated by the Cloud Console or gcloud iam workforce-pools create-login-config). Overrides the default auth/login_config_file property value for this command invocation.
--scopes=SCOPE,[SCOPE,…]
The names of the scopes to authorize for. By default openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/sqlservice.login scopes are used. The list of possible scopes can be found at: https://developers.google.com/identity/protocols/googlescopes. To add scopes for applications outside of Google Cloud Platform, such as Google Drive, create an OAuth Client ID and provide it by using the --client-id-file flag.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
gcloud auth application-default login
gcloud beta auth application-default login