gcloud auth print-access-token: OAuth Tokens
gcloud auth print-access-token outputs a short-lived OAuth 2.0 access token for the active credentials.
When a step needs a bearer token for a raw API call or a registry login, this prints one. It works just as well with impersonated or federated identities.
What it does
gcloud auth print-access-token mints and prints an OAuth access token for the currently active account. With --impersonate-service-account it prints a token for that service account instead, using your credentials to impersonate it.
Common usage
# bearer token for a raw REST call
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
https://run.googleapis.com/v2/projects/my-proj/locations/us-central1/services
# log Docker into Artifact Registry
gcloud auth print-access-token \
| docker login -u oauth2accesstoken \
--password-stdin us-central1-docker.pkg.devFlags
| Flag | What it does |
|---|---|
| --impersonate-service-account <sa> | Print a token for an impersonated SA |
| --scopes <list> | Request specific OAuth scopes |
| --lifetime <dur> | Token lifetime when impersonating (max 1h) |
In CI
After authenticating with Workload Identity Federation, this token is short-lived by design, so mint it just before use rather than caching it. Piping it into docker login -u oauth2accesstoken is the keyless way to push images.
Common errors in CI
"You do not currently have an active account selected" means no credentials are set up; run the auth step first. "Permission 'iam.serviceAccounts.getAccessToken' denied" on --impersonate-service-account means your identity lacks roles/iam.serviceAccountTokenCreator on that SA. A 401 from the API usually means the token expired; regenerate it per call.