Stay organized with collections
Save and categorize content based on your preferences.
If your architecture is using multiple services, you likely require credentials
to enable communication between services. Cloud Build provides
built-in support for the OpenID Connect (OIDC)
standard for secure authentication and authorization between services.
You can use Cloud Build to generate ID tokens. With these tokens, you
can call secure endpoints from within Cloud Build.
For example, if you are running a serverless platform application like
Cloud Run functions, Cloud Run, or App Engine, you can securely
interact with your application from within Cloud Build workloads.
To use the command-line examples in this guide, install and
configure the Google Cloud CLI.
Make sure you've created the service account
you want to use. You must create the account in the same Google Cloud project
where you're running builds.
Required IAM permissions
Your user-specified service account must have the
iam.serviceAccounts.getOpenIdToken permission.
TOKEN_AUDIENCE is the URL or target audience to
obtain the ID token for, such as http://www.example.com.
SERVICE_ACCOUNT_ID is the email address or unique ID
for the user-specified service account. For example, service-account-name@project-id.iam.gserviceaccount.com.
LOGS_BUCKET_LOCATION is the Cloud Storage bucket
to store build logs. For example, gs://mylogsbucket.
Send a direct request to the metadata server
In this section, the following code snippet demonstrates how to make a direct
request to the metadata server to obtain ID tokens:
TOKEN_AUDIENCE is the URL or target audience to
obtain the ID token for, such as http://www.example.com.
SERVICE_ACCOUNT_ID is the email address or unique ID
for the user-specified service account. For example, service-account-name@project-id.iam.gserviceaccount.com.
LOGS_BUCKET_LOCATION is the Cloud Storage bucket
to store build logs. For example, gs://mylogsbucket.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eCloud Build uses OpenID Connect (OIDC) for secure service-to-service authentication and authorization, allowing you to generate ID tokens.\u003c/p\u003e\n"],["\u003cp\u003eID tokens generated by Cloud Build can be used to securely interact with serverless applications like Cloud Run, Cloud Run functions, or App Engine.\u003c/p\u003e\n"],["\u003cp\u003eTo generate ID tokens, you must use a user-specified service account; the default service account is not supported.\u003c/p\u003e\n"],["\u003cp\u003eYour service account needs the \u003ccode\u003eiam.serviceAccounts.getOpenIdToken\u003c/code\u003e permission, specifically the "Service Account OpenID Connect Identity Token Creator" role.\u003c/p\u003e\n"],["\u003cp\u003eYou can obtain ID tokens in Cloud Build using either the gcloud CLI or by sending a direct request to the metadata server, as demonstrated by example code snippets.\u003c/p\u003e\n"]]],[],null,["# Authorize service-to-service access\n\nIf your architecture is using multiple services, you likely require credentials\nto enable communication between services. Cloud Build provides\nbuilt-in support for the [OpenID Connect (OIDC)](https://openid.net/connect/)\nstandard for secure authentication and authorization between services.\n\nYou can use Cloud Build to generate ID tokens. With these tokens, you\ncan call secure endpoints from within Cloud Build.\n\nFor example, if you are running a serverless platform application like\nCloud Run functions, Cloud Run, or App Engine, you can securely\ninteract with your application from within Cloud Build workloads.\n| **Note:** The following instructions are only supported for user-specified service accounts. Cloud Build does not support ID token generation with the default service account.\n\nBefore you begin\n----------------\n\n-\n\n\n Enable the Cloud Build and IAM APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=cloudbuild.googleapis.com,iam.googleapis.com&redirect=https://cloud.google.com/build/docs/securing-builds/authorize-service-to-service-access)\n- If you plan to use this account to [create short-lived credentials](/iam/docs/create-short-lived-credentials-direct),\n then you also need to enable the IAM Service Account Credentials API.\n\n\n Enable the IAM Service Account Credentials API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=iamcredentials.googleapis.com&redirect=https://cloud.google.com/build/docs/securing-builds/authorize-service-to-service-access)\n\n \u003cbr /\u003e\n\n- To use the command-line examples in this guide, install and\n configure the [Google Cloud CLI](/sdk).\n\n | **Note:** If you've installed Google Cloud CLI previously, make sure you have the latest available version by running `gcloud components update`.\n- Make sure you've [created the service account](/iam/docs/creating-managing-service-accounts)\n you want to use. You **must** create the account in the same Google Cloud project\n where you're running builds.\n\n### Required IAM permissions\n\nYour user-specified service account must have the\n`iam.serviceAccounts.getOpenIdToken` permission.\n\n- Grant the [Service Account OpenID Connect Identity Token Creator (`roles/iam.serviceAccountOpenIdTokenCreator`) role](/iam/docs/understanding-roles#iam.serviceAccountOpenIdTokenCreator) to your user-specified service account in the project where you created the service account.\n\nFor instructions on granting IAM roles to a service account, see\n[Manage access to service accounts](/iam/docs/manage-access-service-accounts).\n\nMethods for obtaining an ID token\n---------------------------------\n\nThere are two ways to configure your build steps to obtain ID tokens:\n\n- use the gcloud CLI\n- send a direct request to the metadata server\n\n### Get an ID token via gcloud\n\nIn this section, the following code snippet demonstrates how to use the\ngcloud CLI to obtain ID tokens: \n\n### YAML\n\n steps:\n\n - name: 'gcr.io/cloud-builders/gcloud'\n script: 'gcloud auth print-identity-token --audiences ${_TOKEN_AUDIENCE} \u003e /workspace/identity_token.txt'\n env:\n - _TOKEN_AUDIENCE=${_TOKEN_AUDIENCE}\n service_account: '$_SERVICE_ACCOUNT'\n substitutions:\n _TOKEN_AUDIENCE: '\u003cvar translate=\"no\"\u003eTOKEN_AUDIENCE\u003c/var\u003e'\n _SERVICE_ACCOUNT_ID: '\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_ID\u003c/var\u003e'\n _SERVICE_ACCOUNT: 'projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT_ID}'\n logsBucket: '\u003cvar translate=\"no\"\u003eLOGS_BUCKET_LOCATION\u003c/var\u003e'\n options:\n logging: GCS_ONLY\n dynamic_substitutions: true\n\n### JSON\n\n {\n \"steps\": [\n {\n \"name\": \"gcr.io/cloud-builders/gcloud\",\n \"script\": \"gcloud auth print-identity-token --audiences ${_TOKEN_AUDIENCE} \u003e /workspace/identity_token.txt\"\n \"env\": [\n \"_TOKEN_AUDIENCE=${_TOKEN_AUDIENCE}\"\n ]\n }\n ],\n \"service_account\": \"$_SERVICE_ACCOUNT\",\n \"substitutions\": {\n \"_TOKEN_AUDIENCE\": \"\u003cvar translate=\"no\"\u003eTOKEN_AUDIENCE\u003c/var\u003e\",\n \"_SERVICE_ACCOUNT_ID\": \"\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_ID\u003c/var\u003e\",\n \"_SERVICE_ACCOUNT\": \"projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT_ID}\"\n },\n \"logsBucket\": \"\u003cvar translate=\"no\"\u003eLOGS_BUCKET_LOCATION\u003c/var\u003e\",\n \"options\": {\n \"logging\": \"GCS_ONLY\",\n \"dynamic_substitutions\": true\n }\n }\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eTOKEN_AUDIENCE\u003c/var\u003e is the URL or target audience to obtain the ID token for, such as `http://www.example.com`.\n- \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_ID\u003c/var\u003e is the email address or unique ID for the user-specified service account. For example, `service-account-name@project-id.iam.gserviceaccount.com`.\n- \u003cvar translate=\"no\"\u003eLOGS_BUCKET_LOCATION\u003c/var\u003e is the Cloud Storage bucket to store build logs. For example, `gs://mylogsbucket`.\n\n### Send a direct request to the metadata server\n\nIn this section, the following code snippet demonstrates how to make a direct\nrequest to the metadata server to obtain ID tokens: \n\n### YAML\n\n steps:\n - name: 'gcr.io/cloud-builders/curl'\n id: 'printTokenFromCurl'\n script: |\n curl -H 'Metadata-Flavor: Google' http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=${_TOKEN_AUDIENCE} -o /workspace/identity_token.txt\n env:\n - _TOKEN_AUDIENCE=${_TOKEN_AUDIENCE}\n service_account: '$_SERVICE_ACCOUNT'\n substitutions:\n _TOKEN_AUDIENCE: '\u003cvar translate=\"no\"\u003eTOKEN_AUDIENCE\u003c/var\u003e'\n _SERVICE_ACCOUNT_ID: '\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_ID\u003c/var\u003e'\n _SERVICE_ACCOUNT: 'projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT_ID}'\n logsBucket: '\u003cvar translate=\"no\"\u003eLOGS_BUCKET_LOCATION\u003c/var\u003e'\n options:\n logging: GCS_ONLY\n dynamic_substitutions: true\n\n### JSON\n\n {\n \"steps\": [\n {\n \"name\": \"gcr.io/cloud-builders/curl\",\n \"id\": \"printTokenFromCurl\"\n \"script\": \"curl -H 'Metadata-Flavor: Google' http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=${_TOKEN_AUDIENCE} -o /workspace/identity_token.txt\"\n \"env\":\n \"_TOKEN_AUDIENCE=${_TOKEN_AUDIENCE}\"\n }\n ],\n \"service_account\": \"$_SERVICE_ACCOUNT\",\n \"substitutions\": {\n \"_TOKEN_AUDIENCE\": \"\u003cvar translate=\"no\"\u003eTOKEN_AUDIENCE\u003c/var\u003e\",\n \"_SERVICE_ACCOUNT_ID\": \"\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_ID\u003c/var\u003e\",\n \"_SERVICE_ACCOUNT\": \"projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT_ID}\"\n },\n \"logsBucket\": \"\u003cvar translate=\"no\"\u003eLOGS_BUCKET_LOCATION\u003c/var\u003e\",\n \"options\": {\n \"logging\": \"GCS_ONLY\",\n \"dynamic_substitutions\": true\n }\n }\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eTOKEN_AUDIENCE\u003c/var\u003e is the URL or target audience to obtain the ID token for, such as `http://www.example.com`.\n- \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_ID\u003c/var\u003e is the email address or unique ID for the user-specified service account. For example, `service-account-name@project-id.iam.gserviceaccount.com`.\n- \u003cvar translate=\"no\"\u003eLOGS_BUCKET_LOCATION\u003c/var\u003e is the Cloud Storage bucket to store build logs. For example, `gs://mylogsbucket`.\n\nFor additional instructions on generating and using ID tokens in your workloads,\nsee [Methods for getting an ID token](/docs/authentication/get-id-token#methods).\n\nWhat's next\n-----------\n\n- [Pass data between build steps](/build/docs/configuring-builds/pass-data-between-steps)\n- [Deploy to Cloud Run](/build/docs/deploying-builds/deploy-cloud-run)\n- [Deploy to App Engine](/build/docs/deploying-builds/deploy-appengine)"]]
