gcloud auth application-default print-access-token
- NAME
- gcloud auth application-default print-access-token - print an access token for your current Application Default Credentials
- SYNOPSIS
gcloud auth application-default print-access-token[--lifetime=LIFETIME][--scopes=SCOPE,[SCOPE,…]][GCLOUD_WIDE_FLAG …]
- DESCRIPTION
- gcloud auth application-default print-access-token generates and prints anaccess token for the current Application Default Credential (ADC). TheADC can be specified either by using
gcloud authapplication-default login,gcloud auth login--cred-file=/path/to/cred/file --update-adc, or by setting theGOOGLE_APPLICATION_CREDENTIALSenvironment variable.The access token generated by gcloud auth application-default print-access-tokenis useful for manually testing APIs via curl or similar tools.
In order to print details of the access token, such as the associated accountand the token's expiration time in seconds, run:
curl-H"Content-Type: application/x-www-form-urlencoded"-d"access_token=$(gcloudauthapplication-defaultprint-access-token)"https://www.googleapis.com/oauth2/v1/tokeninfoNote that token itself may not be enough to access some services. If you use thetoken with curl or similar tools, you may see permission errors similar to "Yourapplication has authenticated using end user credentials from the Google CloudSDK or Google Cloud Shell". If it happens, you may need to provide a quotaproject in the "X-Goog-User-Project" header. For example,
curl-H"X-Goog-User-Project: your-project"-H"Authorization: Bearer$(gcloudauthapplication-defaultprint-access-token)"foo.googleapis.comThe identity that granted the token must have the serviceusage.services.usepermission on the provided project. Seehttps://cloud.google.com/apis/docs/system-parametersfor more information.
- FLAGS
--lifetime=LIFETIME- Access token lifetime. The default access token lifetime is 3600 seconds, butyou can use this flag to reduce the lifetime or extend it up to 43200 seconds(12 hours). The org policy constraint
constraints/iam.allowServiceAccountCredentialLifetimeExtensionmustbe set if you want to extend the lifetime beyond 3600 seconds. Note that thisflag is for service account impersonation only, so it only works when either--impersonate-service-accountflag orauth/impersonate_service_accountproperty is set. --scopes=SCOPE,[SCOPE,…]- The scopes to authorize for. This flag is supported for user accounts andservice accounts only. The list of possible scopes can be found at:https://developers.google.com/identity/protocols/googlescopes.
For end-user accounts, the provided scopes must be from [
openid,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/sqlservice.login], or the scopespreviously specified throughgcloud auth application-default login--scopes.
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - NOTES
- These variants are also available:
gcloudalphaauthapplication-defaultprint-access-tokengcloudbetaauthapplication-defaultprint-access-token
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-07 UTC.