Sign in to the gcloud CLI with your federated identity

This document describes how to sign in to the Google Cloud CLI with yourfederated identity by using a browser-based sign in.

Before you begin

  1. Ensure that your administrator has set up and configuredWorkforce Identity Federation.

  2. Ensure that you have information that supports one of the following options.Your administrator can provide this information.

Obtain a login configuration file

This section describes how you can obtain a login configuration file that youcan use to sign in to the gcloud CLI.

Create a login configuration file

You can use the workforce identity pool ID and workforce identity pool providerID to create a login configuration file.

To create the login configuration file, run the following command. You can optionally activate the file as the default for the gcloud CLI by adding the--activate flag. You can then rungcloud auth login without specifying the configuration file path each time.

gcloudiamworkforce-poolscreate-login-config\locations/global/workforcePools/WORKFORCE_POOL_ID/providers/PROVIDER_ID\--output-file=LOGIN_CONFIG_FILE_PATH

Replace the following:

  • WORKFORCE_POOL_ID: the workforce pool ID
  • PROVIDER_ID: the provider ID
  • LOGIN_CONFIG_FILE_PATH: the path to a configuration file that you specify—for example,login.json

The file contains the endpoints used by the gcloud CLI to enable the browser-based authentication flow and set the audience to the IdP that was configured in the workforce identity pool provider. The file doesn't contain confidential information.

The output looks similar to the following:

{"type":"external_account_authorized_user_login_config","audience":"//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID","auth_url":"https://auth.cloud.google/authorize","token_url":"https://sts.googleapis.com/v1/oauthtoken","token_info_url":"https://sts.googleapis.com/v1/introspect"}

Caution: We recommend that you first ensure that the contents of this file are correct and then safeguard the file—for example, by making it read-only and restricting access with an ACL. The file isn't validated; a malicious actor with write access to this file can change the endpoints and intercept credentials.

To stopgcloud auth login from using this configuration file automatically, you can unset it by runninggcloud config unset auth/login_config_file.

You can nowsign in to the gcloud CLI.

Save a login configuration file

You can save credential configuration file contents that were provided to youto a file. Note the path, and thensign in to the gcloud CLI.

Sign in to the gcloud CLI

To sign in to the gcloud CLI with a login configuration file, run thefollowing command:

gcloudauthlogin--login-config="LOGIN_CONFIG_FILE_PATH"

ReplaceLOGIN_CONFIG_FILE_PATH with the path tothe login configuration file, if you haven't activated this file before.However, if you have previously activated this file using the--activate flag, then you don't need to specify the file again.Instead, run the following command:

gcloudauthlogin

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.