Skip to content
Latchkey

gcloud "ERROR: (gcloud.auth)" - Fix Authentication in CI

gcloud has no active, valid credentials. No service account was activated, Workload Identity Federation was not set up, or the key/token the runner has is malformed or revoked.

What this error means

A gcloud command fails with a (gcloud.auth...) error, or with You do not currently have an active account selected. It happens before any API work because gcloud cannot identify the caller.

gcloud output
ERROR: (gcloud.auth.activate-service-account) Could not read json file key.json:
No such file or directory
# or
ERROR: (gcloud.run.deploy) You do not currently have an active account selected.

Common causes

No credentials activated in CI

Neither a service-account key was activated nor Workload Identity Federation was configured, so gcloud has no active account to act as.

Malformed, missing, or revoked key

The key file path is wrong, the JSON is truncated, or the service-account key has been disabled/deleted, so activation fails.

How to fix it

Authenticate via Workload Identity Federation

Use keyless auth so no service-account key is stored in CI.

.github/workflows/deploy.yml
- uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: projects/123/locations/global/workloadIdentityPools/ci/providers/gh
    service_account: deployer@my-proj.iam.gserviceaccount.com
- run: gcloud auth list

Activate a service-account key correctly

  1. Write the key JSON from a secret to a file, then gcloud auth activate-service-account --key-file=key.json.
  2. Set the project with gcloud config set project <id>.
  3. Verify with gcloud auth list that an account is active before deploying.

How to prevent it

  • Prefer Workload Identity Federation over stored JSON keys.
  • If using keys, store them as CI secrets and remove the file after the run.
  • Add a gcloud auth list assertion early in the job.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →