- NAME
-
- gcloud auth application-default login - acquire new user credentials to use for Application Default Credentials
- SYNOPSIS
-
-
gcloud auth application-default login
[ACCOUNT
] [--no-browser
] [--client-id-file
=CLIENT_ID_FILE
] [--disable-quota-project
] [--no-launch-browser
] [--login-config
=LOGIN_CONFIG
] [--scopes
=SCOPE
,[SCOPE
,…]] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
-
Obtains user access credentials via a web flow and puts them in the well-known
location for Application Default Credentials (ADC).
This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials. The credentials will apply to all API calls that make use of the Application Default Credentials client library. Do not set the
GOOGLE_APPLICATION_CREDENTIALS
environment variable if you want to use the credentials generated by this command in your local development. This command tries to find a quota project from gcloud's context and write it to ADC so that Google client libraries can use it for billing and quota. Alternatively, you can use the--client-id-file
flag. In this case, the project owning the client ID will be used for billing and quota. You can create the client ID file at https://console.cloud.google.com/apis/credentials.This command has no effect on the user account(s) set up by the
gcloud auth login
command.Any credentials previously generated by
gcloud auth application-default login
will be overwritten. - EXAMPLES
-
If you want your local application to temporarily use your own user credentials
for API access, run:
gcloud auth application-default login
If you'd like to login by passing in a file containing your own client id, run:
gcloud auth application-default login --client-id-file=clientid.json
- POSITIONAL ARGUMENTS
-
- [
ACCOUNT
] - User account used for authorization. When the account specified has valid credentials in the local credential store these credentials will be re-used. Otherwise new ones will be fetched and replace any stored credential. This caching behavior is only available for user credentials.
- [
- FLAGS
-
--browser
-
If you want to authorize the client libraries on a machine that doesn't have a
browser and you can install the gcloud CLI on another machine with a browser,
use the
--no-browser
flag.1. To initiate authorization, enter the following command:
gcloud auth application-default login --no-browser
2. Copy the long command that begins with
gcloud auth application-default login --remote-bootstrap="
.3. Paste and run this command on the command line of a different, trusted machine that has local installations of both a web browser and the gcloud CLI tool version 372.0 or later.
4. Copy the long URL output from the machine with the web browser.
5. Paste the long URL back to the first machine under the prompt, "Enter the output of the above command", and press Enter to complete the authorization.
Enabled by default, use
--no-browser
to disable. --client-id-file
=CLIENT_ID_FILE
- A file containing your own client id to use to login. If --client-id-file is specified, the quota project will not be written to ADC.
--disable-quota-project
-
By default, the project in billing/quota_project or core/project will be written
to application default credentials (ADC) as the quota project. When both are
set, billing/quota_project takes precedence. You can use --billing-project to
overwrite the value in billing/quota_project. Similarly, you can use --project
to overwrite the value in core/project. Client libraries will send it to
services and use it for quota and billing. To be able to use a project as the
quota project, the account in ADC must have the serviceusage.services.use
permission on the project. This permission is granted to the project editor and
project owner. You can create custom roles to include this permission.
Note that some cloud services may ignore this quota project and still bill the project owning the resources.
In the following situations, you may use this flag to skip setting the quota project:
- The account in ADC cannot be granted the project editor or owner role or any role with the serviceusage.services.use permission.
- You always want to bill the project owning the resources.
--launch-browser
-
Launch a browser for authorization. If not enabled or if it is not possible to
launch a browser, prints a URL to standard output to be copied.
If you want to authorize the client libraries on a machine that doesn't have a browser and you cannot install the gcloud CLI on another machine with a browser, use the
--no-launch-browser
flag. The--no-launch-browser
flag prevents the command from automatically opening a web browser.1. To initiate authorization, enter the following command:
gcloud auth application-default login --no-launch-browser
2. Copy the long URL that begins with
https://accounts.google.com/o/oauth2/auth...
3. Paste this URL into the browser of a different, trusted machine that has a web browser.
4. Copy the authorization code from the machine with the web browser.
5. Paste the authorization code back to the first machine at the prompt, "Enter authorization code", and press Enter to complete the authorization.
Enabled by default, use
--no-launch-browser
to disable. --login-config
=LOGIN_CONFIG
-
Path to the login configuration file (workforce pool, generated by the Cloud
Console or
gcloud iam workforce-pools create-login-config
). Overrides the defaultauth/login_config_file
property value for this command invocation. --scopes
=SCOPE
,[SCOPE
,…]- The names of the scopes to authorize for. By default openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/sqlservice.login scopes are used. The list of possible scopes can be found at: https://developers.google.com/identity/protocols/googlescopes. To add scopes for applications outside of Google Cloud Platform, such as Google Drive, create an OAuth Client ID and provide it by using the --client-id-file flag.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - NOTES
-
These variants are also available:
gcloud alpha auth application-default login
gcloud beta auth application-default login
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-01-07 UTC.