Skip to content
Latchkey

gcloud auth print-access-token: OAuth Tokens

gcloud auth print-access-token outputs a short-lived OAuth 2.0 access token for the active credentials.

When a step needs a bearer token for a raw API call or a registry login, this prints one. It works just as well with impersonated or federated identities.

What it does

gcloud auth print-access-token mints and prints an OAuth access token for the currently active account. With --impersonate-service-account it prints a token for that service account instead, using your credentials to impersonate it.

Common usage

Terminal
# bearer token for a raw REST call
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  https://run.googleapis.com/v2/projects/my-proj/locations/us-central1/services
# log Docker into Artifact Registry
gcloud auth print-access-token \
  | docker login -u oauth2accesstoken \
    --password-stdin us-central1-docker.pkg.dev

Flags

FlagWhat it does
--impersonate-service-account <sa>Print a token for an impersonated SA
--scopes <list>Request specific OAuth scopes
--lifetime <dur>Token lifetime when impersonating (max 1h)

In CI

After authenticating with Workload Identity Federation, this token is short-lived by design, so mint it just before use rather than caching it. Piping it into docker login -u oauth2accesstoken is the keyless way to push images.

Common errors in CI

"You do not currently have an active account selected" means no credentials are set up; run the auth step first. "Permission 'iam.serviceAccounts.getAccessToken' denied" on --impersonate-service-account means your identity lacks roles/iam.serviceAccountTokenCreator on that SA. A 401 from the API usually means the token expired; regenerate it per call.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →