gcloud alpha auth application-default print-access-token
- NAME
- gcloud alpha auth application-default print-access-token - print an access token for your current Application Default Credentials
- SYNOPSIS
gcloud alpha auth application-default print-access-token[--lifetime=LIFETIME][--scopes=SCOPE,[SCOPE,…]][GCLOUD_WIDE_FLAG …]
- DESCRIPTION
(ALPHA)gcloud alpha auth application-default print-access-tokengenerates and prints an access token for the current Application DefaultCredential (ADC). TheADC can bespecified either by usinggcloud authapplication-default login,gcloud auth login--cred-file=/path/to/cred/file --update-adc, or by setting theGOOGLE_APPLICATION_CREDENTIALSenvironment variable.The access token generated by gcloud alpha auth application-defaultprint-access-token is useful for manually testing APIs via curl or similartools.
In order to print details of the access token, such as the associated accountand the token's expiration time in seconds, run:
curl-H"Content-Type: application/x-www-form-urlencoded"-d"access_token=$(gcloudauthapplication-defaultprint-access-token)"https://www.googleapis.com/oauth2/v1/tokeninfoNote that token itself may not be enough to access some services. If you use thetoken with curl or similar tools, you may see permission errors similar to "Yourapplication has authenticated using end user credentials from the Google CloudSDK or Google Cloud Shell". If it happens, you may need to provide a quotaproject in the "X-Goog-User-Project" header. For example,
curl-H"X-Goog-User-Project: your-project"-H"Authorization: Bearer$(gcloudauthapplication-defaultprint-access-token)"foo.googleapis.comThe identity that granted the token must have the serviceusage.services.usepermission on the provided project. Seehttps://cloud.google.com/apis/docs/system-parametersfor more information.
- FLAGS
--lifetime=LIFETIME- Access token lifetime. The default access token lifetime is 3600 seconds, butyou can use this flag to reduce the lifetime or extend it up to 43200 seconds(12 hours). The org policy constraint
constraints/iam.allowServiceAccountCredentialLifetimeExtensionmustbe set if you want to extend the lifetime beyond 3600 seconds. Note that thisflag is for service account impersonation only, so it only works when either--impersonate-service-accountflag orauth/impersonate_service_accountproperty is set. --scopes=SCOPE,[SCOPE,…]- The scopes to authorize for. This flag is supported for user accounts andservice accounts only. The list of possible scopes can be found at:https://developers.google.com/identity/protocols/googlescopes.
For end-user accounts, the provided scopes must be from [
openid,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/sqlservice.login], or the scopespreviously specified throughgcloud auth application-default login--scopes.
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - NOTES
- This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. These variants are also available:
gcloudauthapplication-defaultprint-access-tokengcloudbetaauthapplication-defaultprint-access-token
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-07 UTC.