gcloud auth login - authorize gcloud to access the Cloud Platform with Google user credentials
gcloud auth login [ACCOUNT] [--no-activate] [--brief] [--no-browser] [--cred-file=CRED_FILE] [--enable-gdrive-access] [--force] [--no-launch-browser] [--update-adc] [GCLOUD_WIDE_FLAG ...]
Obtains access credentials for your user account via a web-based authorization flow. When this command completes successfully, it sets the active account in the current configuration to the account specified. If no configuration exists, it creates a configuration named default.
If valid credentials for an account are already available from a prior authorization, the account is set to active without rerunning the flow.
Use gcloud auth list to view credentialed accounts.
If you'd rather authorize without a web browser but still interact with the command line, use the --no-browser flag. To authorize without a web browser and non-interactively, create a service account with the appropriate scopes using the Google Cloud Console https://console.cloud.google.com and use gcloud auth activate-service-account with the corresponding JSON key file.
In addition to Google user credentials, authorization using workload identity federation or service account keys is also supported.
For authorization with external accounts (workload identity pools) or service accounts, the --cred-file flag must be specified with the path to the workload identity credential configuration file or service account key file (JSON). Login with workload identity federation is also supported in gsutil and this command is the recommended way of using external accounts. For more information on workload identity federation, see: https://cloud.google.com/iam/docs/workload-identity-federation.
For more information on authorization and credential types, see: https://cloud.google.com/sdk/docs/authorizing.
To obtain access credentials for your user account, run:
$ gcloud auth login
To obtain access credentials using workload identity federation, run:
$ gcloud auth login --cred-file=/path/to/workload/configuration/file
- [ACCOUNT]
User account used for authorization.
- --activate
Set the new account to active. Enabled by default, use --no-activate to disable.
- --brief
Minimal user output.
- --no-browser
If you want to authorize the gcloud CLI on a machine that doesn't have a browser and you can install the gcloud CLI on another machine with a browser, use the --no-browser flag.
1. To initiate authorization, enter the following command:
gcloud auth login --no-browser
2. Copy the long command that begins with gcloud auth login --remote-bootstrap=".
3. Paste and run this command on the command line of a different, trusted machine that has local installations of both a web browser and the gcloud CLI tool version 372.0 or later.
4. Copy the long URL output from the machine with the web browser.
5. Paste the long URL back to the first machine under the prompt, "Enter the output of the above command", and press Enter to complete the authorization.
- --cred-file=CRED_FILE
Path to the external account configuration file (workload identity pool, generated by the Cloud Console or gcloud iam workload-identity-pools create-cred-config) or service account credential key file (JSON).
- --enable-gdrive-access
Enable Google Drive access.
- --force
Re-run the web authorization flow even if the given account has valid credentials.
- --launch-browser
Launch a browser for authorization. If not enabled or if it is not possible to launch a browser, prints a URL to standard output to be copied.
If you want to authorize the gcloud CLI on a machine that doesn't have a browser and you cannot install the gcloud CLI on another machine with a browser, use the --no-launch-browser flag. The --no-launch-browser flag prevents the command from automatically opening a web browser.
1. To initiate authorization, enter the following command:
gcloud auth login --no-launch-browser
2. Copy the long URL that begins with https://accounts.google.com/o/oauth2/auth...
3. Paste this URL into the browser of a different, trusted machine that has a web browser.
4. Copy the authorization code from the machine with the web browser.
5. Paste the authorization code back to the first machine at the prompt, "Enter authorization code", and press Enter to complete the authorization.
Enabled by default, use --no-launch-browser to disable.
- --update-adc
Write the obtained credentials to the well-known location for Application Default Credentials (ADC). Run $ gcloud auth application-default --help to learn more about ADC. Any credentials previously generated by gcloud auth application-default login will be overwritten.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
These variants are also available:
$ gcloud alpha auth login
$ gcloud beta auth login