- NAME
-
- gcloud alpha auth application-default print-access-token - print an access token for your current Application Default Credentials
- SYNOPSIS
-
-
gcloud alpha auth application-default print-access-token
[--lifetime
=LIFETIME
] [--scopes
=SCOPE
,[SCOPE
,…]] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
-
(ALPHA)
gcloud alpha auth application-default print-access-token generates and prints an access token for the current Application Default Credential (ADC). The ADC can be specified either by usinggcloud auth application-default login
,gcloud auth login --cred-file=/path/to/cred/file --update-adc
, or by setting theGOOGLE_APPLICATION_CREDENTIALS
environment variable.The access token generated by gcloud alpha auth application-default print-access-token is useful for manually testing APIs via curl or similar tools.
In order to print details of the access token, such as the associated account and the token's expiration time in seconds, run:
curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth application-default print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo
Note that token itself may not be enough to access some services. If you use the token with curl or similar tools, you may see permission errors similar to "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell". If it happens, you may need to provide a quota project in the "X-Goog-User-Project" header. For example,
curl -H "X-Goog-User-Project: your-project" -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" foo.googleapis.com
The identity that granted the token must have the serviceusage.services.use permission on the provided project. See https://cloud.google.com/apis/docs/system-parameters for more information.
- FLAGS
-
--lifetime
=LIFETIME
-
Access token lifetime. The default access token lifetime is 3600 seconds, but
you can use this flag to reduce the lifetime or extend it up to 43200 seconds
(12 hours). The org policy constraint
constraints/iam.allowServiceAccountCredentialLifetimeExtension
must be set if you want to extend the lifetime beyond 3600 seconds. Note that this flag is for service account impersonation only, so it only works when either--impersonate-service-account
flag orauth/impersonate_service_account
property is set. --scopes
=SCOPE
,[SCOPE
,…]-
The scopes to authorize for. This flag is supported for user accounts and
service accounts only. The list of possible scopes can be found at: https://developers.google.com/identity/protocols/googlescopes.
For end-user accounts, the provided scopes must be from [
openid
,https://www.googleapis.com/auth/userinfo.email
,https://www.googleapis.com/auth/cloud-platform
,https://www.googleapis.com/auth/sqlservice.login
], or the scopes previously specified throughgcloud auth application-default login --scopes
.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - NOTES
-
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation-only early access
allowlist. These variants are also available:
gcloud auth application-default print-access-token
gcloud beta auth application-default print-access-token
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-17 UTC.