This page describes various ways to sign in to the gcloud CLI. The Google Cloud CLI is a command-line tool you can use for Trusted Cloud by S3NS administration. Most services support the gcloud CLI.
If you plan to use client libraries or third-party development tools that support Application Default Credentials (ADC) in a local development environment, you need to configure ADC in your local environment. For more information, see Set up Application Default Credentials for a local development environment.
How you authenticate to and use the gcloud CLI depends on where you are running the tool:
Local environment
For most use cases, you can use your user credentials to sign in to the gcloud CLI, but you can also use a service account.
The following table describes your options for signing in to the gcloud CLI and how that affects the credentials used by the tool to authenticate and authorize to Google APIs.
Before signing in to the gcloud CLI you must set thecore/universe_domain property in your configuration:
gcloud config set universe_domain s3nsapis.fr
| Credential type | Authentication command | Notes | More information |
|---|---|---|---|
| User credentials |
|
Workforce Identity Federation lets users that are managed by an external identity provider (IdP) access Trusted Cloud resources. | |
| Service account |
gcloud auth login --cred-file=WORKLOAD_IDENTITY_FEDERATION_CREDENTIAL_FILE
|
Workload Identity Federation enables workloads running outside of Trusted Cloud to access Trusted Cloud resources. | Authenticate a workload |
gcloud auth login --cred-file=SERVICE_ACCT_KEY
|
This method is not recommended, because using service account keys increases risk. To use a service account for authorization to Google APIs, sign in to the gcloud CLI with your user credentials, and then use service account impersonation. |
Trusted Cloud compute resources
When you use the gcloud CLI on Trusted Cloud compute resources such as Compute Engine virtual machines, you don't need to initialize or sign in to the gcloud CLI, because it gets its credentials and configuration information from the hosting compute resource by using the metadata server.
| Credential type | Authentication command | Notes | More information |
|---|---|---|---|
| Service account | Not applicable | The gcloud CLI uses the service account attached to the compute resource for authentication and authorization for all Google APIs. | Set up ADC for a resource with an attached service account |
gcloud CLI authentication configuration and ADC configuration
When you sign in to the gcloud CLI, you use the
gcloud auth login command to authenticate a principal to the gcloud CLI.
The gcloud CLI uses that principal for authentication and authorization to
manage Trusted Cloud resources and services. This is your gcloud CLI authentication configuration.
When you use the gcloud CLI to configure ADC, you use
the gcloud auth application-default login command. This
command uses the principal you provide to configure ADC for your
local environment. This is your ADC configuration.
Your gcloud CLI authentication configuration is distinct from your ADC configuration. They can use the same principal or different principals. The gcloud CLI does not use ADC to access Trusted Cloud resources.
The following table shows the two commands and what they do:
| Command | Description |
|---|---|
gcloud auth login
|
Accepts credentials that are used to authenticate to and authorize access to Trusted Cloud services. |
gcloud auth application-default login
|
Generates a local ADC file based on the credentials you provide to the command. |
Generally you use the same account to sign in to the gcloud CLI and to configure ADC, but you can use different accounts if needed.
What's next
- Learn more about how ADC finds credentials.
- Authenticate for using Cloud Client Libraries.
- Explore authentication methods.