mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 10:35:03 +00:00
154 lines
6.6 KiB
Bash
154 lines
6.6 KiB
Bash
NAME
|
|
gcloud auth application-default login - acquire new user credentials to use
|
|
for Application Default Credentials
|
|
|
|
SYNOPSIS
|
|
gcloud auth application-default login [--no-browser]
|
|
[--client-id-file=CLIENT_ID_FILE] [--disable-quota-project]
|
|
[--no-launch-browser] [--login-config=LOGIN_CONFIG]
|
|
[--scopes=SCOPE,[SCOPE,...]] [GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
Obtains user access credentials via a web flow and puts them in the
|
|
well-known location for Application Default Credentials (ADC).
|
|
|
|
This command is useful when you are developing code that would normally use
|
|
a service account but need to run the code in a local development
|
|
environment where it's easier to provide user credentials. The credentials
|
|
will apply to all API calls that make use of the Application Default
|
|
Credentials client library. Do not set the GOOGLE_APPLICATION_CREDENTIALS
|
|
environment variable if you want to use the credentials generated by this
|
|
command in your local development. This command tries to find a quota
|
|
project from gcloud's context and write it to ADC so that Google client
|
|
libraries can use it for billing and quota. Alternatively, you can use the
|
|
--client-id-file flag. In this case, the project owning the client ID will
|
|
be used for billing and quota. You can create the client ID file at
|
|
https://console.cloud.google.com/apis/credentials.
|
|
|
|
This command has no effect on the user account(s) set up by the gcloud auth
|
|
login command.
|
|
|
|
Any credentials previously generated by gcloud auth application-default
|
|
login will be overwritten.
|
|
|
|
EXAMPLES
|
|
If you want your local application to temporarily use your own user
|
|
credentials for API access, run:
|
|
|
|
$ gcloud auth application-default login
|
|
|
|
If you'd like to login by passing in a file containing your own client id,
|
|
run:
|
|
|
|
$ gcloud auth application-default login \
|
|
--client-id-file=clientid.json
|
|
|
|
FLAGS
|
|
--no-browser
|
|
If you want to authorize the client libraries on a machine that doesn't
|
|
have a browser and you can install the gcloud CLI on another machine
|
|
with a browser, use the --no-browser flag.
|
|
|
|
1. To initiate authorization, enter the following command:
|
|
|
|
gcloud auth application-default login --no-browser
|
|
|
|
2. Copy the long command that begins with gcloud auth
|
|
application-default login --remote-bootstrap=".
|
|
|
|
3. Paste and run this command on the command line of a different,
|
|
trusted machine that has local installations of both a web browser and
|
|
the gcloud CLI tool version 372.0 or later.
|
|
|
|
4. Copy the long URL output from the machine with the web browser.
|
|
|
|
5. Paste the long URL back to the first machine under the prompt,
|
|
"Enter the output of the above command", and press Enter to complete
|
|
the authorization.
|
|
|
|
--client-id-file=CLIENT_ID_FILE
|
|
A file containing your own client id to use to login. If
|
|
--client-id-file is specified, the quota project will not be written to
|
|
ADC.
|
|
|
|
--disable-quota-project
|
|
By default, the project in billing/quota_project or core/project will
|
|
be written to application default credentials (ADC) as the quota
|
|
project. When both are set, billing/quota_project takes precedence. You
|
|
can use --billing-project to overwrite the value in
|
|
billing/quota_project. Similarly, you can use --project to overwrite
|
|
the value in core/project. Client libraries will send it to services
|
|
and use it for quota and billing. To be able to use a project as the
|
|
quota project, the account in ADC must have the
|
|
serviceusage.services.use permission on the project. This permission is
|
|
granted to the project editor and project owner. You can create custom
|
|
roles to include this permission.
|
|
|
|
Note that some cloud services may ignore this quota project and still
|
|
bill the project owning the resources.
|
|
|
|
In the following situations, you may use this flag to skip setting the
|
|
quota project:
|
|
|
|
◆ The account in ADC cannot be granted the project editor or owner
|
|
role or any role with the serviceusage.services.use permission.
|
|
◆ You always want to bill the project owning the resources.
|
|
|
|
--launch-browser
|
|
Launch a browser for authorization. If not enabled or if it is not
|
|
possible to launch a browser, prints a URL to standard output to be
|
|
copied.
|
|
|
|
If you want to authorize the client libraries on a machine that doesn't
|
|
have a browser and you cannot install the gcloud CLI on another machine
|
|
with a browser, use the --no-launch-browser flag. The
|
|
--no-launch-browser flag prevents the command from automatically
|
|
opening a web browser.
|
|
|
|
1. To initiate authorization, enter the following command:
|
|
|
|
gcloud auth application-default login --no-launch-browser
|
|
|
|
2. Copy the long URL that begins with
|
|
https://accounts.google.com/o/oauth2/auth...
|
|
|
|
3. Paste this URL into the browser of a different, trusted machine that
|
|
has a web browser.
|
|
|
|
4. Copy the authorization code from the machine with the web browser.
|
|
|
|
5. Paste the authorization code back to the first machine at the
|
|
prompt, "Enter authorization code", and press Enter to complete the
|
|
authorization.
|
|
|
|
Enabled by default, use --no-launch-browser to disable.
|
|
|
|
--login-config=LOGIN_CONFIG
|
|
Path to the login configuration file (workforce pool, generated by the
|
|
Cloud Console or gcloud iam workforce-pools create-login-config).
|
|
Overrides the default auth/login_config_file property value for this
|
|
command invocation.
|
|
|
|
--scopes=SCOPE,[SCOPE,...]
|
|
The names of the scopes to authorize for. By default openid,
|
|
https://www.googleapis.com/auth/userinfo.email,
|
|
https://www.googleapis.com/auth/cloud-platform,
|
|
https://www.googleapis.com/auth/sqlservice.login scopes are used. The
|
|
list of possible scopes can be found at:
|
|
https://developers.google.com/identity/protocols/googlescopes.
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
NOTES
|
|
These variants are also available:
|
|
|
|
$ gcloud alpha auth application-default login
|
|
|
|
$ gcloud beta auth application-default login
|
|
|