gcloud auth print-identity-token

NAME
gcloud auth print-identity-token - print an identity token for the specified account
SYNOPSIS
gcloud auth print-identity-token[ACCOUNT][--audiences=AUDIENCES][--include-email][--include-license--token-format=TOKEN_FORMAT; default="standard"][GCLOUD_WIDE_FLAG]
DESCRIPTION
Print an identity token for the specified account.
EXAMPLES
To print identity tokens:
gcloudauthprint-identity-token

To print identity token for account 'foo@example.com' whose audience is'https://service-hash-uc.a.run.app', run:

gcloudauthprint-identity-tokenfoo@example.com--audiences="https://service-hash-uc.a.run.app"

To print identity token for an impersonated service account'my-account@example.iam.gserviceaccount.com' whose audience is'https://service-hash-uc.a.run.app', run:

gcloudauthprint-identity-token--impersonate-service-account="my-account@example.iam.gserviceaccount.com"--audiences="https://service-hash-uc.a.run.app"

To print identity token of a Compute Engine instance, which includes project andinstance details as well as license codes for images associated with theinstance, run:

gcloudauthprint-identity-token--token-format=full--include-license

To print identity token for an impersonated service account'my-account@example.iam.gserviceaccount.com', which includes the email addressof the service account, run:

gcloudauthprint-identity-token--impersonate-service-account="my-account@example.iam.gserviceaccount.com"--include-email
POSITIONAL ARGUMENTS
[ACCOUNT]
Account to print the identity token for. If not specified, the current activeaccount will be used.
FLAGS
--audiences=AUDIENCES
Intended recipient of the token. Currently, only one audience can be specified.
--include-email
Specify whether or not service account email is included in the identity token.If specified, the token will contain 'email' and 'email_verified' claims. Thisflag should only be used for impersonate service account.
Parameters for Google Compute Engine instance identity tokens.
--include-license
Specify whether or not license codes for images associated with this instanceare included in the identity token payload. Default is False. This flag does nothave effect unless--token-format=full.
--token-format=TOKEN_FORMAT; default="standard"
Specify whether or not the project and instance details are included in theidentity token payload. This flag only applies to Google Compute Engine instanceidentity tokens. Seehttps://cloud.google.com/compute/docs/instances/verifying-instance-identity#token_formatfor more details on token format.TOKEN_FORMAT must beone of:standard,full.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
These variants are also available:
gcloudalphaauthprint-identity-token
gcloudbetaauthprint-identity-token

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-01-21 UTC.