Authenticate for using the gcloud CLI
This page describes various ways to sign in to the gcloud CLI.The Google Cloud CLI is a command-line tool you can use for Google Cloudadministration. Most services support the gcloud CLI.
If you plan to use client libraries or third-party development tools thatsupport Application Default Credentials (ADC) in a local developmentenvironment, you need to configure ADC in your local environment. For moreinformation, seeSet up Application Default Credentials for a local development environment.
How you authenticate to and use the gcloud CLI depends on where youare running the tool:
Local environment
For most use cases, you can use your user credentials tosign in to the gcloud CLI, but you can also use a service account.
When you sign in to the gcloud CLI in a local environment, the toolplaces your access and refresh tokens in your home directory. Any user withaccess to your file system can use those credentials. For more information, seeMitigating compromised OAuth tokens for Google Cloud CLI.
The following table describes your options for signing in to thegcloud CLI and how that affects the credentials used by the toolto authenticate and authorize to Google APIs.
| Credential type | Authentication command | Notes | More information |
|---|---|---|---|
| User credentials | One of the following:
| The gcloud CLI uses your user credentials for authentication and authorization for all Google APIs. To use a service account for authorization to Google APIs, use service account impersonation. | |
| Workforce Identity Federation enables users managed by an identity provider other than Google to access Google Cloud resources. | ||
| Service account | gcloud auth login --cred-file=WORKLOAD_IDENTITY_FEDERATION_CREDENTIAL_FILE | Workload Identity Federation enables workloads running outside of Google Cloud to access Google Cloud resources. | Authenticate a workload |
gcloud auth login --cred-file=SERVICE_ACCT_KEY | This method is not recommended, because using service account keys increases risk. To use a service account for authorization to Google APIs, sign in to the gcloud CLI with your user credentials, and then use service account impersonation. |
Cloud Shell
When you use Cloud Shell, you don't need to sign in to thegcloud CLI, but you do need to authorize the use of your accountbefore using any development tools from Cloud Shell. After you do that,the gcloud CLI uses your user credentials to access Google APIs.
For more information, seeAuthorize with Cloud Shell.
Google Cloud compute resources
When you use the gcloud CLI on Google Cloud compute resourcessuch as Compute Engine virtual machines, you don't need to initialize or signin to the gcloud CLI, because it gets its credentials andconfiguration information from the hosting compute resource by using themetadata server.
| Credential type | Authentication command | Notes | More information |
|---|---|---|---|
| Service account | Not applicable | The gcloud CLI uses the service account attached to the compute resource for authentication and authorization for all Google APIs. | Set up ADC for a resource with an attached service account |
gcloud CLI authentication configuration and ADC configuration
When you sign in to the gcloud CLI, you use thegcloud auth login command to authenticate a principal to the gcloud CLI.The gcloud CLI uses that principal for authentication and authorization tomanage Google Cloud resources and services. This is yourgcloud CLI authentication configuration.
When you use the gcloud CLI to configure ADC, you usethegcloud auth application-default login command. Thiscommand uses the principal you provide to configure ADC for yourlocal environment. This is yourADC configuration.
Your gcloud CLI authentication configuration is distinct from yourADC configuration. They can use the same principal or different principals. Thegcloud CLI does not use ADC to access Google Cloud resources.
The following table shows the two commands and what they do:
| Command | Description |
|---|---|
gcloud auth login | Accepts credentials that are used to authenticate to and authorize access to Google Cloud services. |
gcloud auth application-default login | Generates a local ADC file based on the credentials you provide to the command. |
Generally you use the same account to sign in to the gcloud CLIand to configure ADC, but you can use different accounts if needed.
What's next
- Learn more abouthow ADC finds credentials.
- Authenticate for using Cloud Client Libraries.
- Exploreauthentication methods.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.