This document describes how to authenticate and set up API access within a workstation. For general information about Google Cloud authentication, see theauthentication overview.

Authenticate as a user with Google Cloud CLI

After you launch Cloud Workstations, you can access Google Cloud services and the API using your user accounts through thegcloud CLI.

1. Open a terminal in your workstation. The way you open a terminal window depends on theIDE that you're using. For example, if you're using the Cloud Workstations base editor, open a terminal by selectingTerminal >New Terminal, or by pressingControl+Shift+`.
2. Authenticate with the following command:

   gcloud auth login --no-launch-browser

3. Follow the instructions provided by the command to authenticate to Google Cloud.
4. Specify your Google Cloud project ID with the following command:

   gcloud config set projectPROJECT_ID

5. Enable Application Default Credentials to allow you to call Google Cloud services.

   gcloud auth application-default login

6. Yourgcloud CLI credentials are now saved and available when you use your workstation in future sessions.

Issue an HTTP request to a workstation

To issue an HTTP request to a workstation, you need an access token for an account that has theCloud Workstations User role on that workstation:

1. Generate an access token using thegenerateAccessToken API method.
2. Add an HTTP header namedAuthorization with the valueBearer $TOKEN.

Opening your workstation URL in your browser automatically authenticates through a redirect to the workstations server, and retrieves an access token generated by thegenerateAccessToken API method. This redirects back to your workstation and sets an authentication cookie that is valid for your current workstation session.

To skip this redirect, use the_workstationAccessToken URL parameter:

1. Generate an access token using thegenerateAccessToken API method.
2. Open your workstation URL in the browser and append a URL parameter with the following form:_workstationAccessToken=TOKEN.

This sets an authentication cookie in your browser that allows access for your current workstation session. Skipping the redirect can be helpful when access to the workstation server is blocked by network policies, or when using iframes to display the workstation in other sites.

Impersonate a service account

If your organization's security policies prevent user accounts from having the required permissions, you can also impersonate a service account. To impersonate the service account specified on your workstation configuration, you can specify the service account scopes field.

        gcloud workstations configs createCONFIG \            --cluster=CLUSTER \            --region=REGION \            --project=PROJECT \            --service-account=SERVICE_ACCOUNT \            --service-account-scopes=https://www.googleapis.com/auth/cloud-platform

What's next

• Learn more aboutSSH support.
• See a list ofworkstation configuration parameters.
• Access control with Identity and Access Management and Cloud Workstations