This document describes how to sign in to the Google Cloud CLI with your federated identity by using a browser-based sign in.
Before you begin
Ensure that your administrator has set up and configured Workforce Identity Federation.
Ensure that you have information that supports one of the following options. Your administrator can provide this information.
Workforce identity pool and provider IDs: a workforce identity pool ID and a workforce identity pool provider ID that you can use to create a login configuration file.
Existing configuration file: a path to an existing login configuration file that you can use to sign in to the gcloud CLI.
Configuration file contents: configuration file contents that you can save to a configuration file.
Obtain a login configuration file
This section describes how you can obtain a login configuration file that you can use to sign in to the gcloud CLI.
Create a login configuration file
You can use the workload identity pool ID and workload identity pool provider ID to create a login configuration file.
To create the login configuration file, run the following command. You can optionally activate
the file as the default for the gcloud CLI by adding the
--activate
flag.
You can then run gcloud auth login
without specifying
the configuration file path each time.
gcloud iam workforce-pools create-login-config \ locations/global/workforcePools/WORKFORCE_POOL_ID/providers/PROVIDER_ID \ --output-file=LOGIN_CONFIG_FILE_PATH
Replace the following:
WORKFORCE_POOL_ID
: the workforce pool IDPROVIDER_ID
: the provider IDLOGIN_CONFIG_FILE_PATH
: the path to a configuration file that you specify—for example,login.json
The file contains contains the endpoints used by the gcloud CLI to enable the browser-based authentication flow and set the audience to the IdP that was configured in the workforce identity pool provider. The file doesn't contain confidential information.
The output looks similar to the following:
{ "type": "external_account_authorized_user_login_config", "audience": "//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID", "auth_url": "https://auth.cloud.google/authorize", "token_url": "https://sts.googleapis.com/v1/oauthtoken", "token_info_url": "https://googleapis.com/v1/introspect", }
You can now sign in to the gcloud CLI.
Save a login configuration file
You can save credential configuration file contents that were provided to you to a file. Note the path, and then sign in to the gcloud CLI.
Sign in to the gcloud CLI
To sign in to the gcloud CLI with a login configuration file, run the following command:
gcloud auth login --login-config="LOGIN_CONFIG_FILE_PATH"
Replace LOGIN_CONFIG_FILE_PATH
with the path to
the login configuration file. This command activates the configuration so that
you can run gcloud auth login
without specifying the login configuration file
each time. To disable activation, use --no-activate
.