1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 10:35:03 +00:00
gcloud-help/gcloud/auth/application-default/login
2023-03-01 10:23:17 +00:00

154 lines
6.6 KiB
Bash

NAME
gcloud auth application-default login - acquire new user credentials to use
for Application Default Credentials
SYNOPSIS
gcloud auth application-default login [--no-browser]
[--client-id-file=CLIENT_ID_FILE] [--disable-quota-project]
[--no-launch-browser] [--login-config=LOGIN_CONFIG]
[--scopes=SCOPE,[SCOPE,...]] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
Obtains user access credentials via a web flow and puts them in the
well-known location for Application Default Credentials (ADC).
This command is useful when you are developing code that would normally use
a service account but need to run the code in a local development
environment where it's easier to provide user credentials. The credentials
will apply to all API calls that make use of the Application Default
Credentials client library. Do not set the GOOGLE_APPLICATION_CREDENTIALS
environment variable if you want to use the credentials generated by this
command in your local development. This command tries to find a quota
project from gcloud's context and write it to ADC so that Google client
libraries can use it for billing and quota. Alternatively, you can use the
--client-id-file flag. In this case, the project owning the client ID will
be used for billing and quota. You can create the client ID file at
https://console.cloud.google.com/apis/credentials.
This command has no effect on the user account(s) set up by the gcloud auth
login command.
Any credentials previously generated by gcloud auth application-default
login will be overwritten.
EXAMPLES
If you want your local application to temporarily use your own user
credentials for API access, run:
$ gcloud auth application-default login
If you'd like to login by passing in a file containing your own client id,
run:
$ gcloud auth application-default login \
--client-id-file=clientid.json
FLAGS
--no-browser
If you want to authorize the client libraries on a machine that doesn't
have a browser and you can install the gcloud CLI on another machine
with a browser, use the --no-browser flag.
1. To initiate authorization, enter the following command:
gcloud auth application-default login --no-browser
2. Copy the long command that begins with gcloud auth
application-default login --remote-bootstrap=".
3. Paste and run this command on the command line of a different,
trusted machine that has local installations of both a web browser and
the gcloud CLI tool version 372.0 or later.
4. Copy the long URL output from the machine with the web browser.
5. Paste the long URL back to the first machine under the prompt,
"Enter the output of the above command", and press Enter to complete
the authorization.
--client-id-file=CLIENT_ID_FILE
A file containing your own client id to use to login. If
--client-id-file is specified, the quota project will not be written to
ADC.
--disable-quota-project
By default, the project in billing/quota_project or core/project will
be written to application default credentials (ADC) as the quota
project. When both are set, billing/quota_project takes precedence. You
can use --billing-project to overwrite the value in
billing/quota_project. Similarly, you can use --project to overwrite
the value in core/project. Client libraries will send it to services
and use it for quota and billing. To be able to use a project as the
quota project, the account in ADC must have the
serviceusage.services.use permission on the project. This permission is
granted to the project editor and project owner. You can create custom
roles to include this permission.
Note that some cloud services may ignore this quota project and still
bill the project owning the resources.
In the following situations, you may use this flag to skip setting the
quota project:
◆ The account in ADC cannot be granted the project editor or owner
role or any role with the serviceusage.services.use permission.
◆ You always want to bill the project owning the resources.
--launch-browser
Launch a browser for authorization. If not enabled or if it is not
possible to launch a browser, prints a URL to standard output to be
copied.
If you want to authorize the client libraries on a machine that doesn't
have a browser and you cannot install the gcloud CLI on another machine
with a browser, use the --no-launch-browser flag. The
--no-launch-browser flag prevents the command from automatically
opening a web browser.
1. To initiate authorization, enter the following command:
gcloud auth application-default login --no-launch-browser
2. Copy the long URL that begins with
https://accounts.google.com/o/oauth2/auth...
3. Paste this URL into the browser of a different, trusted machine that
has a web browser.
4. Copy the authorization code from the machine with the web browser.
5. Paste the authorization code back to the first machine at the
prompt, "Enter authorization code", and press Enter to complete the
authorization.
Enabled by default, use --no-launch-browser to disable.
--login-config=LOGIN_CONFIG
Path to the login configuration file (workforce pool, generated by the
Cloud Console or gcloud iam workforce-pools create-login-config).
Overrides the default auth/login_config_file property value for this
command invocation.
--scopes=SCOPE,[SCOPE,...]
The names of the scopes to authorize for. By default openid,
https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/cloud-platform,
https://www.googleapis.com/auth/sqlservice.login scopes are used. The
list of possible scopes can be found at:
https://developers.google.com/identity/protocols/googlescopes.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
These variants are also available:
$ gcloud alpha auth application-default login
$ gcloud beta auth application-default login