Sign in to the gcloud CLI with your federated identity

This document describes how to sign in to the Google Cloud CLI with your federated identity by using a browser-based sign in.

Before you begin

1. Ensure that your administrator has set up and configured Workforce Identity Federation.

2. Ensure that you have information that supports one of the following options. Your administrator can provide this information.

   • Workforce identity pool and provider IDs: a workforce identity pool ID and a workforce identity pool provider ID that you can use to create a login configuration file.

   • Existing configuration file: a path to an existing login configuration file that you can use to sign in to the gcloud CLI.

   • Configuration file contents: configuration file contents that you can save to a configuration file.

Obtain a login configuration file

This section describes how you can obtain a login configuration file that you can use to sign in to the gcloud CLI.

Create a login configuration file

You can use the workload identity pool ID and workload identity pool provider ID to create a login configuration file.

To create the login configuration file, run the following command. You can optionally activate the file as the default for the gcloud CLI by adding the --activate flag. You can then run gcloud auth login without specifying the configuration file path each time.

gcloud iam workforce-pools create-login-config \
    locations/global/workforcePools/WORKFORCE_POOL_ID/providers/PROVIDER_ID \
    --output-file=LOGIN_CONFIG_FILE_PATH

Replace the following:

• WORKFORCE_POOL_ID: the workforce pool ID
• PROVIDER_ID: the provider ID
• LOGIN_CONFIG_FILE_PATH: the path to a configuration file that you specify—for example, login.json

The file contains contains the endpoints used by the gcloud CLI to enable the browser-based authentication flow and set the audience to the IdP that was configured in the workforce identity pool provider. The file doesn't contain confidential information.

The output looks similar to the following:

{
  "type": "external_account_authorized_user_login_config",
  "audience": "//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID",
  "auth_url": "https://auth.cloud.google/authorize",
  "token_url": "https://sts.googleapis.com/v1/oauthtoken",
  "token_info_url": "https://googleapis.com/v1/introspect",
}

You can now sign in to the gcloud CLI.

Save a login configuration file

You can save credential configuration file contents that were provided to you to a file. Note the path, and then sign in to the gcloud CLI.

Sign in to the gcloud CLI

To sign in to the gcloud CLI with a login configuration file, run the following command:

gcloud auth login --login-config="LOGIN_CONFIG_FILE_PATH"

Replace LOGIN_CONFIG_FILE_PATH with the path to the login configuration file. This command activates the configuration so that you can run gcloud auth login without specifying the login configuration file each time. To disable activation, use --no-activate.