gcloud auth application-default login - acquire new user credentials to use for Application Default Credentials

gcloud auth application-default login[ACCOUNT][--no-browser][--client-id-file=CLIENT_ID_FILE][--disable-quota-project][--no-launch-browser][--login-config=LOGIN_CONFIG][--scopes=SCOPE,[SCOPE,…]][GCLOUD_WIDE_FLAG …]

This command is useful when you are developing code that would normally use aservice account but need to run the code in a local development environmentwhere it's easier to provide user credentials. The credentials will apply to allAPI calls that make use of the Application Default Credentials client library.Do not set theGOOGLE_APPLICATION_CREDENTIALS environment variableif you want to use the credentials generated by this command in your localdevelopment. This command tries to find a quota project from gcloud's contextand write it to ADC so that Google client libraries can use it for billing andquota. Alternatively, you can use the--client-id-file flag. Inthis case, the project owning the client ID will be used for billing and quota.You can create the client ID file athttps://console.cloud.google.com/apis/credentials.

This command has no effect on the user account(s) set up by thegcloud auth login command.

Any credentials previously generated bygcloud auth application-defaultlogin will be overwritten.

gcloudauthapplication-defaultlogin

If you'd like to login by passing in a file containing your own client id, run:

gcloudauthapplication-defaultlogin--client-id-file=clientid.json

[ACCOUNT]

User account used for authorization. When the account specified has validcredentials in the local credential store these credentials will be re-used.Otherwise new ones will be fetched and replace any stored credential. Thiscaching behavior is only available for user credentials.

--browser

If you want to authorize the client libraries on a machine that doesn't have abrowser and you can install the gcloud CLI on another machine with a browser,use the--no-browser flag.

1. To initiate authorization, enter the following command:

gcloudauthapplication-defaultlogin--no-browser

2. Copy the long command that begins withgcloud auth application-defaultlogin --remote-bootstrap=".

3. Paste and run this command on the command line of a different, trustedmachine that has local installations of both a web browser and the gcloud CLItool version 372.0 or later.

4. Copy the long URL output from the machine with the web browser.

5. Paste the long URL back to the first machine under the prompt, "Enter theoutput of the above command", and press Enter to complete the authorization.

Enabled by default, use--no-browser to disable.

--client-id-file=CLIENT_ID_FILE

A file containing your own client id to use to login. If --client-id-file isspecified, the quota project will not be written to ADC.

--disable-quota-project

By default, the project in billing/quota_project or core/project will be writtento application default credentials (ADC) as the quota project. When both areset, billing/quota_project takes precedence. You can use --billing-project tooverwrite the value in billing/quota_project. Similarly, you can use --projectto overwrite the value in core/project. Client libraries will send it toservices and use it for quota and billing. To be able to use a project as thequota project, the account in ADC must have the serviceusage.services.usepermission on the project. This permission is granted to the project editor andproject owner. You can create custom roles to include this permission.

Note that some cloud services may ignore this quota project and still bill theproject owning the resources.

In the following situations, you may use this flag to skip setting the quotaproject:

• The account in ADC cannot be granted the project editor or owner role or anyrole with the serviceusage.services.use permission.
• You always want to bill the project owning the resources.

--launch-browser

Launch a browser for authorization. If not enabled or if it is not possible tolaunch a browser, prints a URL to standard output to be copied.

If you want to authorize the client libraries on a machine that doesn't have abrowser and you cannot install the gcloud CLI on another machine with a browser,use the--no-launch-browser flag. The--no-launch-browser flag prevents the command from automaticallyopening a web browser.

1. To initiate authorization, enter the following command:

gcloudauthapplication-defaultlogin--no-launch-browser

2. Copy the long URL that begins withhttps://accounts.google.com/o/oauth2/auth...

3. Paste this URL into the browser of a different, trusted machine that has aweb browser.

4. Copy the authorization code from the machine with the web browser.

5. Paste the authorization code back to the first machine at the prompt, "Enterauthorization code", and press Enter to complete the authorization.

Enabled by default, use--no-launch-browser to disable.

--login-config=LOGIN_CONFIG

Path to the login configuration file (workforce pool, generated by the CloudConsole orgcloud iamworkforce-pools create-login-config). Overrides the defaultauth/login_config_file property value for this command invocation.

--scopes=SCOPE,[SCOPE,…]

The names of the scopes to authorize for. By default openid,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/sqlservice.loginscopes are used. The list of possible scopes can be found at:https://developers.google.com/identity/protocols/googlescopes.To add scopes for applications outside of Google Cloud Platform, such as GoogleDrive,create an OAuthClient ID and provide it by using the --client-id-file flag.

Run$gcloud help for details.