Set up the Google Cloud CLI for Cloud de Confiance

This guide provides instructions for setting up the Google Cloud CLI ( gcloud CLI) for use with Cloud de Confiance. The gcloud CLI helps you create and work with Cloud de Confiance resources from the command line.

For more general information about configuring and using the gcloud CLI, see the Google Cloud CLI documentation.

Differences from setup in Google Cloud

If you're already familiar with setting up and using the CLI with Google Cloud, note the following:

  • There is some additional initial setup required to use the gcloud CLI with Cloud de Confiance, as described in this guide.
  • Cloud Shell is not available in Cloud de Confiance. The gcloud CLI must be installed on your local machine.
  • Initializing the gcloud CLI in one step with gcloud init is not available.
  • If a feature or product is unavailable in Cloud de Confiance, the corresponding gcloud CLI commands and parameters are also unavailable.

Before you begin

In addition to your own sign in details for Cloud de Confiance, you need the following to set up the gcloud CLI for the first time. If you are not an administrator for your organization, your administrator should provide you with this information.

  • Your organization's workload identity pool name.
  • Your organization's identity provider (IdP).

Install the gcloud CLI

Install the gcloud CLI, following the instructions for your OS.

Linux
  1. Confirm that you have a supported version of Python. The Google Cloud CLI requires Python 3.9 to 3.14. Note that the x86_64 Linux package includes a bundled Python interpreter that will be preferred by default. For information on how to choose and configure your Python interpreter, see gcloud topic startup.
  2. Download one of the following:
    Platform Package name Size SHA256 Checksum
    Linux 64-bit

    (x86_64)

    		 google-cloud-cli-linux-x86_64.tar.gz 150.5 MB 31000673c1f9e18ec7b38823748031c58949cb0479d36ede999ae8cad6097ae3
    Linux 64-bit

    (Arm)

    		 google-cloud-cli-linux-arm.tar.gz 57.1 MB a1c1a88274e8bf11561771b9373b566cbb044f1cb3884e454625ec9449ea33f2
    Linux 32-bit

    (x86)

    		 google-cloud-cli-linux-x86.tar.gz 57.1 MB 32ff2bea65cd5c79aa86b948219c1e861a0434cc99011f4d977c4a9810e595de

    To download the Linux archive file, run the following command: 

    curl -O https://storage.s3nsapis.fr/cloud-sdk-release/google-cloud-cli-linux-x86_64.tar.gz

    Refer to the table above and replace google-cloud-cli-linux-x86_64.tar.gz with the *.tar.gz package name that applies to your configuration.

  3. To extract the contents of the file to your file system (preferably to your home directory), run the following command: 
    tar -xf google-cloud-cli-linux-x86_64.tar.gz
     Optional: To replace an existing installation, remove the existing google-cloud-sdk directory and then extract the archive to the same location.
  4. (Optional) Add the gcloud CLI to your PATH. You can also opt-in to command-completion for your shell and usage statistics collection. Run the installation script (from the root of the folder you extracted in the last step) using the following command: 
    ./google-cloud-sdk/install.sh
     This can also be done non-interactively (for example, using a script) and by providing preferences as flags. To view the available flags, run: 
    ./google-cloud-sdk/install.sh --help
    • To send anonymous usage statistics to help improve the gcloud CLI, answer Y when prompted.
    • To add the gcloud CLI to your PATH and enable command completion, answer Y when prompted.
  5. If you updated your PATH in the previous step, open a new terminal so that the changes take effect.
  6. Optional: Install additional components using the component manager.
macOS
  1. Confirm that you have a supported version of Python:
    • To check your current Python version, run python3 -V or python -V. Supported versions are Python 3.9 to 3.14.
    • The main install script offers to install CPython's Python 3.12.
      • Xcode Command Line Tools is required to install Python.
      • Verify that Xcode Command Line Tools is installed by running: xcode-select -p.
      • If Xcode Command Line Tools is not installed, install it by running: sudo xcode-select --install.
    • Otherwise, to install a supported Python version, please visit the Python.org Python Releases for macOS.
    • If you have multiple Python interpreters installed on your machine, set the CLOUDSDK_PYTHON environment variable within your shell to point to the path of your preferred interpreter.
    • For more information on how to choose and configure your Python interpreter, see gcloud topic startup.
  2. Download one of the following:

    3. Platform Package Size SHA256 Checksum
    macOS 64-bit

    (x86_64)

    		 google-cloud-cli-darwin-x86_64.tar.gz 57.2 MB b24a11aa4f1816bff3122b3560c909c1eb7109bf8979821251d8bc5679582f10
    macOS 64-bit

    (ARM64, Apple silicon)

    		 google-cloud-cli-darwin-arm.tar.gz 57.1 MB b4d2b8b63593ad226cf1c4da0667ffa4a9cb923bd41ec269e67891491aeb126a
    macOS 32-bit

    (x86)

    		 google-cloud-cli-darwin-x86.tar.gz 55.7 MB 6e66bdc92029fd3a3856e6a9bc03f2799079184ff3fe436c7ade1ef1a8f03452
  3. Extract the archive to any location on your file system (preferably your Home directory). On macOS, this can be achieved by opening the downloaded .tar.gz archive file in the preferred location. Or run the following command: 
    tar -xf google-cloud-cli-darwin-arm.tar.gz

    Optional: To replace an existing installation, remove the existing google-cloud-sdk directory and then extract the archive to the same location.

  4. Run the installation script (from the root of the folder you extracted in the last step) using the following command: 
    ./google-cloud-sdk/install.sh

    The script will prompt to install Python 3.12 and certain recommended modules.

    The install can also be done non-interactively (for example, using a script) by providing preferences as flags. To describe the available flags, run: 
    ./google-cloud-sdk/install.sh --help
     To run the install script with screen reader mode on: 
    ./google-cloud-sdk/install.sh --screen-reader=true
     Optional:
    • To send anonymous usage statistics to help improve the gcloud CLI, answer Y when prompted.
    • To add the gcloud CLI to your PATH and enable command completion, answer Y when prompted.
  5. If you updated your PATH in the previous step, open a new terminal so that the changes take effect.
  6. Optional. Install additional components using the component manager.
Windows
    The Google Cloud CLI works on Windows 8.1 and later and Windows Server 2012 and later.

  1. Download the Google Cloud CLI installer.

    Alternatively, open a PowerShell terminal and run the following PowerShell commands: 

    (New-Object Net.WebClient).DownloadFile("https://storage.s3nsapis.fr/cloud-sdk-release/GoogleCloudSDKInstaller.exe", "$env:Temp\GoogleCloudSDKInstaller.exe")

& $env:Temp\GoogleCloudSDKInstaller.exe

  2. Launch the installer and follow the prompts. The installer is signed by Google LLC.

    If you're using a screen reader, check the Turn on screen reader mode checkbox. This option configures gcloud to use status trackers instead of unicode spinners, display progress as a percentage, and flatten tables. For more information, see the Accessibility features guide.

  3. Google Cloud CLI requires Python; supported versions are Python 3.9 to 3.14. By default, the Windows version of Google Cloud CLI comes bundled with Python 3. To use Google Cloud CLI your operating system must be able to run a supported version of Python.

    The installer installs all necessary dependencies, including the needed Python version. While Google Cloud CLI installs and manages Python 3 by default, you can use an existing Python installation if necessary by unchecking the option to Install Bundled Python. See gcloud topic startup to learn how to use an existing Python installation.

  4. After installation is complete, the installer gives you the option to create Start Menu and Desktop shortcuts, start the Google Cloud CLI shell, and configure the gcloud CLI. Make sure that you leave the options to start the shell and configure your installation selected. The installer starts a terminal window and runs the gcloud init command.

  5. The default installation doesn't include the App Engine extensions required to deploy an application using gcloud commands. These components can be installed using the gcloud CLI component manager.
Troubleshooting tips:
  • If your installation is unsuccessful due to the find command not being recognized, ensure your PATH environment variable is set to include the folder containing find. Usually, this is C:\WINDOWS\system32;.
  • If you uninstalled the gcloud CLI, you must reboot your system before installing the gcloud CLI again.
  • If unzipping fails, run the installer as an administrator.

Create your login configuration file

To set up access to your universe, you need to create a JSON configuration file for the gcloud CLI, including domains used by Cloud de Confiance and the IdP set up for your organization.

To create your login configuration file:

  • Run the following commands:

    gcloud config set universe_domain s3nsapis.fr

AUDIENCE=locations/global/workforcePools/POOL_ID/providers/PROVIDER_ID
UNIVERSE_WEB_DOMAIN="cloud.s3nscloud.fr"
UNIVERSE_API_DOMAIN="s3nsapis.fr"

gcloud iam workforce-pools create-login-config \
$AUDIENCE \
--universe-cloud-web-domain="$UNIVERSE_WEB_DOMAIN" \
--universe-domain="$UNIVERSE_API_DOMAIN" \
--output-file="wif-login-config.json"

    Replace the following:

    • POOL_ID: the unique identifier for your organization's workload identity pool.
    • PROVIDER_ID: your organization's identity provider (IdP).

The output is similar to the following:

Created login configuration file [wif-login-config.json].

After you have created your configuration file, you don't need to repeat this step as long as you are signing in from the same machine.

Sign in to Cloud de Confiance with the gcloud CLI

Now you can use the configuration file every time you need to sign in to Cloud de Confiance:

  • To sign in from the command line, run the following command:

    gcloud auth login -–login-config=wif-login-config.json

  • If you need to use Application Default Credentials (ADC) (required for running Terraform modules), run the following command:

    gcloud auth application-default login --login-config=wif-login-config.json

A web page opens where you can sign in with your login details. After you've logged in you can then go on to configure and use the gcloud CLI as described in the rest of its documentation.

(Optional) Set up default properties

When you set up the gcloud CLI, you are provided with a configuration called default that you can use for properties that provide default flag values or govern the tool's behavior. Although it's optional, we recommend configuring some default properties for gcloud CLI, such as your default project, before using the tool. Default properties are useful if you don't want to have to specify your project or preferred compute location every time you run a command.

The following steps set the same properties that are configured by gcloud init for Google Cloud users:

  1. To set your default project, run the following command, specifying your chosen project ID:

    gcloud config set project PROJECT_ID

  2. If you use Compute Engine or GKE, some commands require you to specify a compute region or zone. To set your default region for commands, run the following command:

    gcloud config set compute/region u-france-east1

    To set your default zone, run the following command:

    gcloud config set compute/zone ZONE

  3. To view your current configuration's properties, including the authenticated user, run the following command:

    gcloud config list

You can learn about how gcloud CLI configurations work and how to create and use additional configurations in Manage gcloud CLI configurations. You can learn more about specifying properties in Manage gcloud CLI properties.

(Optional) Run commands

Run core commands to view information about your gcloud CLI installation:

  1. List accounts whose credentials are stored on the local system:

    gcloud auth list

    The gcloud CLI displays a list of credentialed accounts:

    Credentialed Accounts
ACTIVE             ACCOUNT
*                  principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/my-user@example.com

  2. List the properties in your active gcloud CLI configuration:

    gcloud config list

    The gcloud CLI displays the list of properties:

    [core]
account = principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/my-user@example.com
disable_usage_reporting = False
project = my-project

  3. View information about gcloud commands and other topics:

    gcloud help

    For example, to view the help for gcloud compute instances create:

    gcloud help compute instances create

    The gcloud CLI displays a help topic that contains a description of the command, a list of command flags and arguments, and examples of how to use the command.

What's next