Authenticate for using the gcloud CLI

This page describes various ways to sign in to the gcloud CLI. The Google Cloud CLI is a command-line tool you can use for Google Cloud administration. Most services support the gcloud CLI.

If you plan to use client libraries or third-party development tools that support Application Default Credentials (ADC) in a local development environment, you need to configure ADC in your local environment. For more information, see Set up Application Default Credentials for a local development environment.

How you authenticate to and use the gcloud CLI depends on where you are running the tool:

In a local environment
Using Cloud Shell
On Google Cloud compute resources

Local environment

For most use cases, you can use your user credentials to sign in to the gcloud CLI, but you can also use a service account.

When you sign in to the gcloud CLI in a local environment, the tool places your access and refresh tokens in your home directory. Any user with access to your file system can use those credentials. For more information, see Mitigating compromised OAuth tokens for Google Cloud CLI.

The following table describes your options for signing in to the gcloud CLI and how that affects the credentials used by the tool to authenticate and authorize to Google APIs.

Credential type	Authentication command	Notes	More information
User credentials	`gcloud init` `gcloud auth login`	The gcloud CLI uses your user credentials for authentication and authorization for all Google APIs. To use a service account for authorization to Google APIs, use service account impersonation.	Initialize the gcloud CLI Use service account impersonation
User credentials	`gcloud config set auth/login_config_file WORKFORCE_IDENTITY_FEDERATION_LOGIN_CONFIGURATION_FILE` `gcloud auth login`	Workforce identity federation enables users managed by an identity provider other than Google to access Google Cloud resources.	Browser-based sign-in with the gcloud CLI Workforce identity federation
Service account	`gcloud auth login --cred-file=WORKLOAD_IDENTITY_FEDERATION_CREDENTIAL_FILE`	Workload identity federation enables workloads running outside of Google Cloud to access Google Cloud resources.	Authenticate a workload
Service account	`gcloud auth login --cred-file=SERVICE_ACCT_KEY`	This method is not recommended, because using service account keys increases risk. To use a service account for authorization to Google APIs, sign in to the gcloud CLI with your user credentials, and then use service account impersonation.	Best practices for managing service account keys Use service account impersonation

Cloud Shell

When you use Cloud Shell, you don't need to sign in to the gcloud CLI, but you do need to authorize the use of your account before using any development tools from Cloud Shell. After you do that, the gcloud CLI uses your user credentials to access Google APIs.

For more information, see Authorize with Cloud Shell.

Google Cloud compute resources

When you use the gcloud CLI on Google Cloud compute resources such as Compute Engine virtual machines, you don't need to initialize or sign in to the gcloud CLI, because it gets its credentials and configuration information from the hosting compute resource by using the metadata server.

Credential type	Authentication command	Notes	More information
Service account	Not applicable	The gcloud CLI uses the service account attached to the compute resource for authentication and authorization for all Google APIs.	Google Cloud services that support attaching a service account

gcloud CLI authentication configuration and ADC configuration

When you sign in to the gcloud CLI, you use the gcloud auth login command to authenticate a principal to the gcloud CLI. The gcloud CLI uses that principal for authentication and authorization to manage Google Cloud resources and services. This is your gcloud CLI authentication configuration.

When you use the gcloud CLI to configure ADC, you use the gcloud auth application-default login command. This command uses the principal you provide to configure ADC for your local environment. This is your ADC configuration.

Your gcloud CLI authentication configuration is distinct from your ADC configuration. They can use the same principal or different principals. The gcloud CLI does not use ADC to access Google Cloud resources.

The following table shows the two commands and what they do:

Command	Description
`gcloud auth login`	Accepts credentials that are used to authenticate to and authorize access to Google Cloud services.
`gcloud auth application-default login`	Generates a local ADC file based on the credentials you provide to the command.

Generally you use the same account to sign in to the gcloud CLI and to configure ADC, but you can use different accounts if needed.

What's next

Learn more about how ADC finds credentials.
Authenticate for using Cloud Client Libraries.
Explore authentication methods.