1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 10:35:03 +00:00

gcloud: Thu Jun 23 08:40:08 UTC 2022

This commit is contained in:
Automated 2022-06-23 08:40:08 +00:00
parent 5378794555
commit 8b80260bd9
Failed to extract signature
144 changed files with 4593 additions and 192 deletions

View file

@ -0,0 +1,69 @@
NAME
gcloud alpha auth application-default - manage your active Application
Default Credentials
SYNOPSIS
gcloud alpha auth application-default COMMAND [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) Application Default Credentials (ADC) provide a method to get
credentials used in calling Google APIs. The gcloud alpha auth
application-default command group allows you to manage active credentials
on your machine that are used for local application development.
These credentials are only used by Google client libraries in your own
application.
For more information about ADC and how it works, see Authenticating as a
service account (https://cloud.google.com/docs/authentication/production).
EXAMPLES
To use your own user credentials for your application to access an API,
run:
$ gcloud alpha auth application-default login
This will take you through a web flow to acquire new user credentials.
To create a service account and have your application use it for API
access, run:
$ gcloud iam service-accounts create my-account
$ gcloud iam service-accounts keys create key.json \
--iam-account=my-account@my-project.iam.gserviceaccount.com
$ export GOOGLE_APPLICATION_CREDENTIALS=key.json
$ ./my_application.sh
GCLOUD WIDE FLAGS
These flags are available to all commands: --help.
Run $ gcloud help for details.
COMMANDS
COMMAND is one of the following:
login
(ALPHA) Acquire new user credentials to use for Application Default
Credentials.
print-access-token
(ALPHA) Print an access token for your current Application Default
Credentials.
revoke
(ALPHA) Revoke previously generated Application Default Credentials.
set-quota-project
(ALPHA) Update or add a quota project in application default
credentials (ADC).
NOTES
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct
project, you might be trying to access an API with an invitation-only early
access allowlist. These variants are also available:
$ gcloud auth application-default
$ gcloud beta auth application-default

View file

@ -0,0 +1,124 @@
NAME
gcloud alpha auth application-default login - acquire new user credentials
to use for Application Default Credentials
SYNOPSIS
gcloud alpha auth application-default login [--no-browser]
[--client-id-file=CLIENT_ID_FILE] [--disable-quota-project]
[--no-launch-browser] [--scopes=SCOPE,[SCOPE,...]]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) Obtains user access credentials via a web flow and puts them in the
well-known location for Application Default Credentials (ADC).
This command is useful when you are developing code that would normally use
a service account but need to run the code in a local development
environment where it's easier to provide user credentials. The credentials
will apply to all API calls that make use of the Application Default
Credentials client library. Do not set the GOOGLE_APPLICATION_CREDENTIALS
environment variable if you want to use the credentials generated by this
command in your local development. This command tries to find a quota
project from gcloud's context and write it to ADC so that Google client
libraries can use it for billing and quota. Alternatively, you can use the
--client-id-file flag. In this case, the project owning the client ID will
be used for billing and quota. You can create the client ID file at
https://console.cloud.google.com/apis/credentials.
This command has no effect on the user account(s) set up by the gcloud auth
login command.
Any credentials previously generated by gcloud auth application-default
login will be overwritten.
EXAMPLES
If you want your local application to temporarily use your own user
credentials for API access, run:
$ gcloud alpha auth application-default login
If you'd like to login by passing in a file containing your own client id,
run:
$ gcloud alpha auth application-default login \
--client-id-file=clientid.json
FLAGS
--no-browser
Use this flag to authenticate the client libraries on a machine without
a web browser.
Run gcloud auth login --no-browser and follow these steps:
1. Copy the long command that begins with "gcloud auth login
--remote-bootstrap=".
2. Paste and run this command on the command line of a different,
trusted machine that has local installations of both a web browser and
the gcloud CLI tool version 372.0 or later.
3. Copy the long URL output from the machine with the web browser.
4. Paste the long URL back to the first machine under the prompt,
"Enter the output of the above command", and press Enter to complete
the authorization.
--client-id-file=CLIENT_ID_FILE
A file containing your own client id to use to login. If
--client-id-file is specified, the quota project will not be written to
ADC.
--disable-quota-project
By default, the project in billing/quota_project or core/project will
be written to application default credentials (ADC) as the quota
project. When both are set, billing/quota_project takes precedence. You
can use --billing-project to overwrite the value in
billing/quota_project. Similarly, you can use --project to overwrite
the value in core/project. Client libraries will send it to services
and use it for quota and billing. To be able to use a project as the
quota project, the account in ADC must have the
serviceusage.services.use permission on the project. This permission is
granted to the project editor and project owner. You can create custom
roles to include this permission.
Note that some cloud services may ignore this quota project and still
bill the project owning the resources.
In the following situations, you may use this flag to skip setting the
quota project:
◆ The account in ADC cannot be granted the project editor or owner
role or any role with the serviceusage.services.use permission.
◆ You always want to bill the project owning the resources.
--launch-browser
Launch a browser for authorization. If not enabled or if it is not
possible to launch a browser, prints a URL to standard output to be
copied. Enabled by default, use --no-launch-browser to disable.
--scopes=SCOPE,[SCOPE,...]
The names of the scopes to authorize for. By default openid,
https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/cloud-platform,
https://www.googleapis.com/auth/sqlservice.login scopes are used. The
list of possible scopes can be found at:
https://developers.google.com/identity/protocols/googlescopes.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct
project, you might be trying to access an API with an invitation-only early
access allowlist. These variants are also available:
$ gcloud auth application-default login
$ gcloud beta auth application-default login

View file

@ -0,0 +1,74 @@
NAME
gcloud alpha auth application-default print-access-token - print an access
token for your current Application Default Credentials
SYNOPSIS
gcloud alpha auth application-default print-access-token
[--scopes=SCOPE,[SCOPE,...]] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) gcloud alpha auth application-default print-access-token generates
and prints an access token for the current Application Default Credential
(ADC). The ADC (https://google.aip.dev/auth/4110) can be specified either
by using gcloud auth application-default login, gcloud auth login
--cred-file=/path/to/cred/file --update-adc, or by setting the
GOOGLE_APPLICATION_CREDENTIALS environment variable.
The access token generated by gcloud alpha auth application-default
print-access-token is useful for manually testing APIs via curl or similar
tools.
In order to print details of the access token, such as the associated
account and the token's expiration time in seconds, run:
$ curl -H "Content-Type: application/x-www-form-urlencoded" \
-d "access_token=$(gcloud auth application-default print-access-token)" \
https://www.googleapis.com/oauth2/v1/tokeninfo
Note that token itself may not be enough to access some services. If you
use the token with curl or similar tools, you may see permission errors
similar to "Your application has authenticated using end user credentials
from the Google Cloud SDK or Google Cloud Shell". If it happens, you may
need to provide a quota project in the "X-Goog-User-Project" header. For
example,
$ curl -H "X-Goog-User-Project: your-project" \
-H \
"Authorization: Bearer $(gcloud auth application-default \
print-access-token)" foo.googleapis.com
The identity that granted the token must have the serviceusage.services.use
permission on the provided project. See
https://cloud.google.com/apis/docs/system-parameters for more information.
FLAGS
--scopes=SCOPE,[SCOPE,...]
The scopes to authorize for. This flag is supported for user accounts
and service accounts only. The list of possible scopes can be found at:
https://developers.google.com/identity/protocols/googlescopes.
For end-user accounts, the provided scopes must be from [openid,
https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/cloud-platform,
https://www.googleapis.com/auth/sqlservice.login], or the scopes
previously specified through gcloud auth application-default login
--scopes.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct
project, you might be trying to access an API with an invitation-only early
access allowlist. These variants are also available:
$ gcloud auth application-default print-access-token
$ gcloud beta auth application-default print-access-token

View file

@ -0,0 +1,35 @@
NAME
gcloud alpha auth application-default revoke - revoke previously generated
Application Default Credentials
SYNOPSIS
gcloud alpha auth application-default revoke [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) Revokes Application Default Credentials that have been previously
generated by gcloud alpha auth application-default login and deletes the
local credential file.
This does not affect any credentials set up through other means, such as
credentials referenced by the Application Default Credentials environment
variable or service account credentials that are active on a Google Compute
Engine virtual machine.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct
project, you might be trying to access an API with an invitation-only early
access allowlist. These variants are also available:
$ gcloud auth application-default revoke
$ gcloud beta auth application-default revoke

View file

@ -0,0 +1,45 @@
NAME
gcloud alpha auth application-default set-quota-project - update or add a
quota project in application default credentials (ADC)
SYNOPSIS
gcloud alpha auth application-default set-quota-project QUOTA_PROJECT_ID
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) Before running this command, an ADC must already be generated using
$ gcloud auth application-default login. The quota project can be used by
client libraries for the billing purpose. The existing application default
credentials must have the serviceusage.services.use permission on the given
project.
EXAMPLES
To update the quota project in application default credentials to
my-quota-project, run:
$ gcloud alpha auth application-default set-quota-project \
my-quota-project
POSITIONAL ARGUMENTS
QUOTA_PROJECT_ID
Quota project ID to add to application default credentials. If a quota
project already exists, it will be updated.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct
project, you might be trying to access an API with an invitation-only early
access allowlist. These variants are also available:
$ gcloud auth application-default set-quota-project
$ gcloud beta auth application-default set-quota-project

View file

@ -2,7 +2,7 @@ NAME
gcloud alpha auth - manage oauth2 credentials for the Google Cloud CLI
SYNOPSIS
gcloud alpha auth COMMAND [GCLOUD_WIDE_FLAG ...]
gcloud alpha auth GROUP | COMMAND [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) The gcloud auth command group lets you grant and revoke
@ -41,6 +41,12 @@ GCLOUD WIDE FLAGS
Run $ gcloud help for details.
GROUPS
GROUP is one of the following:
application-default
(ALPHA) Manage your active Application Default Credentials.
COMMANDS
COMMAND is one of the following: