gcloud alpha auth login

NAME
gcloud alpha auth login - authorize gcloud to access the Cloud Platform with Google user credentials
SYNOPSIS
gcloud alpha auth login[ACCOUNT][--no-activate][--brief][--no-browser][--cred-file=CRED_FILE][--enable-gdrive-access][--force][--no-launch-browser][--login-config=LOGIN_CONFIG][--update-adc][GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA) Obtains access credentials for your user account via aweb-based authorization flow. When this command completes successfully, it setsthe active account in the current configuration to the account specified. If noconfiguration exists, it creates a configuration named default.

If valid credentials for an account are already available from a priorauthorization, the account is set to active without rerunning the flow.

Usegcloud auth listto view credentialed accounts.

If you'd rather authorize without a web browser but still interact with thecommand line, use the--no-browser flag. To authorize without a webbrowser and non-interactively, create a service account with the appropriatescopes using theGoogle CloudConsole and usegcloud authactivate-service-account with the corresponding JSON key file.

In addition to Google user credentials, authorization using workload identityfederation, workforce identity federation, or service account keys is alsosupported.

For authorization with external accounts or service accounts, the--cred-file flag must be specified with the path to the workloadidentity credential configuration file or service account key file (JSON).

Login with workload and workforce identity federation is also supported in bothgsutil and bq. This command is the recommended way of using external accounts.

For more information on workload identity federation, see:https://cloud.google.com/iam/docs/workload-identity-federation.

For more information on workforce identity federation, see:https://cloud.google.com/iam/docs/workforce-identity-federation.

For more information on authorization and credential types, see:https://cloud.google.com/sdk/docs/authorizing.

EXAMPLES
To obtain access credentials for your user account, run:
gcloudalphaauthlogin

To obtain access credentials using workload or workforce identity federation,run:

gcloudalphaauthlogin--cred-file=/path/to/configuration/file

To obtain access credentials using a browser-based sign-in flow with workforceidentity federation, run:

gcloudalphaauthlogin--login-config=/path/to/configuration/file
POSITIONAL ARGUMENTS
[ACCOUNT]
User account used for authorization. When the account specified has validcredentials in the local credential store these credentials will be re-used,otherwise a new credential will be fetched. If you need to fetch a newcredential for an account with valid credentials stored, run the command withthe --force flag.
FLAGS
--activate
Set the new account to active. Enabled by default, use--no-activate to disable.
--brief
Minimal user output.
--browser
If you want to authorize the gcloud CLI on a machine that doesn't have a browserand you can install the gcloud CLI on another machine with a browser, use the--no-browser flag.

1. To initiate authorization, enter the following command:

gcloudauthlogin--no-browser

2. Copy the long command that begins withgcloud auth login--remote-bootstrap=".

3. Paste and run this command on the command line of a different, trustedmachine that has local installations of both a web browser and the gcloud CLItool version 372.0 or later.

4. Copy the long URL output from the machine with the web browser.

5. Paste the long URL back to the first machine under the prompt, "Enter theoutput of the above command", and press Enter to complete the authorization.

Enabled by default, use--no-browser to disable.

--cred-file=CRED_FILE
Path to the external account configuration file (workload identity pool,generated by the Cloud Console orgcloudiam workload-identity-pools create-cred-config) or service accountcredential key file (JSON).
--enable-gdrive-access
Enable Google Drive access.
--force
Re-run the web authorization flow even if the given account has validcredentials.
--launch-browser
Launch a browser for authorization. If not enabled or if it is not possible tolaunch a browser, prints a URL to standard output to be copied.

If you want to authorize the gcloud CLI on a machine that doesn't have a browserand you cannot install the gcloud CLI on another machine with a browser, use the--no-launch-browser flag. The--no-launch-browser flagprevents the command from automatically opening a web browser.

1. To initiate authorization, enter the following command:

gcloudauthlogin--no-launch-browser

2. Copy the long URL that begins withhttps://accounts.google.com/o/oauth2/auth...

3. Paste this URL into the browser of a different, trusted machine that has aweb browser.

4. Copy the authorization code from the machine with the web browser.

5. Paste the authorization code back to the first machine at the prompt, "Enterauthorization code", and press Enter to complete the authorization.

Enabled by default, use--no-launch-browser to disable.

--login-config=LOGIN_CONFIG
Path to the workforce identity federation login configuration file which can begenerated using thegcloud iamworkforce-pools create-login-config command. Overrides the defaultauth/login_config_file property value for this command invocation.
--update-adc
Write the obtained credentials to the well-known location for ApplicationDefault Credentials (ADC). Run $gcloud authapplication-default --help to learn more about ADC. Any credentialspreviously generated bygcloud authapplication-default login will be overwritten.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. These variants are also available:
gcloudauthlogin
gcloudbetaauthlogin

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-22 UTC.