Configuring the gcloud CLI for use behind a proxy/firewall

If you are behind a corporate proxy or firewall, the Google Cloud CLI might not be able to access the internet with its default settings.

Installing the gcloud CLI

The interactive gcloud CLI installers download components from the internet as part of the installation process, which might not work correctly if you're behind a proxy or firewall.

For a simpler installation process when proxy configuration is necessary, use one of the self-contained versioned archives to install the gcloud CLI. All previous versions of the gcloud CLI are also available to download from the downloads archive.

Proxy configuration

After you have the gcloud CLI installed, proxy settings can be configured using gcloud CLI properties by running gcloud config. For more information on what gcloud CLI properties are and how to use them, refer to the properties page.

To start, set the type of proxy you are using and the address and port on which to reach it:

gcloud config set proxy/type [PROXY_TYPE]

gcloud config set proxy/address [PROXY_IP_ADDRESS]

gcloud config set proxy/port [PROXY_PORT]
  • The gcloud CLI supports the following values for PROXY_TYPE: http, http_no_tunnel, socks4, socks5
  • PROXY_IP_ADDRESS is the hostname or IP address of where the proxy can be reached.
  • PROXY_PORT is the port the proxy is running on (e.g. 8080).

For an authenticated proxy, you will need to set your proxy username and password using properties as follows:

gcloud config set proxy/username [USERNAME]

gcloud config set proxy/password [PASSWORD]

Alternatively, to avoid having the proxy credentials recorded in any logs (such as shell history or gcloud CLI logs) or in the gcloud CLI configuration file, you can set the properties using environment variables, as shown in the following sample:

export CLOUDSDK_PROXY_USERNAME [USERNAME]

export CLOUDSDK_PROXY_PASSWORD [PASSWORD]

The gcloud CLI won't store these values. This way, the credentials can be stored in an encrypted file locally, or they can be stored in a secure network location and retrieved when necessary.

If you are behind a proxy and you receive SSL handshake errors, it's likely that your proxy is a man-in-the-middle proxy which uses a custom CA. You need to set the following property to point to your custom CA file:

gcloud config set core/custom_ca_certs_file [PATH_TO_CUSTOM_CA]

For a full description of related properties, run gcloud topic configurations or gcloud config set and look for proxy under the Available properties section.