gcloud auth application-default login

gcloud auth application-default login - acquire new user credentials to use for Application Default Credentials

gcloud auth application-default login [--client-id-file=CLIENT_ID_FILE] [--no-launch-browser] [--scopes=SCOPES,[SCOPES,…]] [--no-add-quota-project     | --disable-quota-project] [GCLOUD_WIDE_FLAG …]

This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials. The credentials will apply to all API calls that make use of the Application Default Credentials client library. Do not set the GOOGLE_APPLICATION_CREDENTIALS environment variable if you want to use the credentials generated by this command in your local development. This command tries to find a quota project from gcloud's context and write it to ADC so that Google client libraries can use it for billing and quota. Alternatively, you can use the --client-id-file flag. In this case, the project owning the client id will be used for billing and quota. You can create the client-id-file at https://console.cloud.google.com/apis/credentials.

This command has no effect on the user account(s) set up by the gcloud auth login command.

Any credentials previously generated by gcloud auth application-default login will be overwritten.

--client-id-file=CLIENT_ID_FILE

A file containing your own client id to use to login. If --client-id-file is specified, the quota project will not be written to ADC.

--launch-browser

Launch a browser for authorization. If not enabled or DISPLAY variable is not set, prints a URL to standard output to be copied. Enabled by default, use --no-launch-browser to disable.

--scopes=SCOPES,[SCOPES,…]

The names of the scopes to authorize for. By default openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-platform scopes are used. The list of possible scopes can be found at: https://developers.google.com/identity/protocols/googlescopes.

At most one of these may be specified:

--add-quota-project

(DEPRECATED) Read the project from the context of the gcloud command-line tool and write it to application default credentials as the quota project. It is the default behavior.

The --add-quota-project flag is deprecated. Enabled by default, use --no-add-quota-project to disable.

--disable-quota-project

By default, the project in billing/quota_project or core/project will be written to application default credentials (ADC) as the quota project. When both are set, billing/quota_project takes precedence. You can use --billing-project to overwrite the value in billing/quota_project. Similarly, you can use --project to overwrite the value in core/project. Client libraries will send it to services and use it for quota and billing. To be able to use a project as the quota project, the account in ADC must have the serviceusage.services.use permission on the project. This permission is granted to the project editor and project owner. You can create custom roles to include this permission.

Note that some cloud services may ignore this quota project and still bill the project owning the resources.

In the following situations, you may use this flag to skip setting the quota project:

• The account in ADC cannot be granted the project editor or owner role or any role with the serviceusage.services.use permission.
• You always want to bill the project owning the resources.

Run $ gcloud help for details.

gcloud auth application-default login

If you'd like to login by passing in a file containing your own client id, run:

gcloud auth application-default login --client-id-file=clientid.json

gcloud beta auth application-default login