gcloud auth application-default print-access-token - print an access token for your current Application Default Credentials
gcloud auth application-default print-access-token [--scopes=SCOPE,[SCOPE,...]] [GCLOUD_WIDE_FLAG ...]
gcloud auth application-default print-access-token generates and prints an access token for the current Application Default Credential (ADC). The ADC https://google.aip.dev/auth/4110 can be specified either by using gcloud auth application-default login, gcloud auth login --cred-file=/path/to/cred/file --update-adc, or by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable.
The access token generated by gcloud auth application-default print-access-token is useful for manually testing APIs via curl or similar tools.
In order to print details of the access token, such as the associated account and the token's expiration time in seconds, run:
$ curl -H "Content-Type: application/x-www-form-urlencoded" \ -d "access_token=$(gcloud auth application-default print-access-token)" \ https://www.googleapis.com/oauth2/v1/tokeninfo
Note that token itself may not be enough to access some services. If you use the token with curl or similar tools, you may see permission errors similar to "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell". If it happens, you may need to provide a quota project in the "X-Goog-User-Project" header. For example,
$ curl -H "X-Goog-User-Project: your-project" \ -H \ "Authorization: Bearer $(gcloud auth application-default \ print-access-token)" foo.googleapis.com
The identity that granted the token must have the serviceusage.services.use permission on the provided project. See https://cloud.google.com/apis/docs/system-parameters for more information.
- --scopes=SCOPE,[SCOPE,...]
The scopes to authorize for. This flag is supported for user accounts and service accounts only. The list of possible scopes can be found at: https://developers.google.com/identity/protocols/googlescopes.
For end-user accounts, the provided scopes must be from [openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/sqlservice.login], or the scopes previously specified through gcloud auth application-default login --scopes.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
These variants are also available:
$ gcloud alpha auth application-default print-access-token
$ gcloud beta auth application-default print-access-token