74

What is the difference between gcloud auth application-default login vs gcloud auth login?

Despite the definitions below, it is still hard to differentiate them.

gcloud auth application-default login :

  • acquire new user credentials to use for Application Default Credentials

gcloud auth login :

  • authorize gcloud to access the Cloud Platform with Google user credentials

When should I use one over the other?

blong
  • 2,815
  • 8
  • 44
  • 110
Marshall An
  • 1,072
  • 2
  • 11
  • 15

2 Answers2

132

The difference is the use cases:

As a developer, I want to interact with GCP via gcloud.
gcloud auth login
This obtains your credentials and stores them in ~/.config/gcloud/. Now you can run gcloud commands from your terminal and it will find your credentials automatically. Any code/SDK will not automatically pick up your creds in this case.

Reference: https://cloud.google.com/sdk/gcloud/reference/auth/login

As a developer, I want my code to interact with GCP via SDK.
gcloud auth application-default login
This obtains your credentials via a web flow and stores them in 'the well-known location for Application Default Credentials'. Now any code/SDK you run will be able to find the credentials automatically. This is a good stand-in when you want to locally test code which would normally run on a server and use a server-side credentials file.

Reference: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login

Edit (09/19/2019):
As Kent contributed in his comment below, 'the well-known location for Application Default Credentials' is a file named application_default_credentials.json located in your local ~/.config/gcloud/ directory. I've added an additional link below to an article by Theodore Sui and Daniel De Leo which goes into greater detail about the different authentication methods.

Article: https://medium.com/google-cloud/local-remote-authentication-with-google-cloud-platform-afe3aa017b95

Himal
  • 3,002
  • 1
  • 18
  • 17
  • 5
    As of gcloud 248.0.0, the "well-known" location for application-default is ~/.config/gcloud/application_default_credentials.json. – Kent May 31 '19 at 22:49
  • 2
    On Google Cloud SDK 319.0.0 on Windows it's putting my application default credentials in ~/AppData/Roaming/gcloud/application_default_credentials.json – Sam Svenbjorgchristiensensen Jan 20 '21 at 01:23
  • 1
    If you want to login to both at the same time, you can use `gcloud auth login --update-adc` – Lee Netherton Jan 05 '23 at 15:35
  • If I want to run an application with same method as the second one (want my code to interact with GCP via SDK), but with the service account which the VM is running with? Cause I cannot do the same authentication process as a user through browser. – Roy Levy Apr 03 '23 at 14:02
17

I'm adding this as an answer because I don't have the reputation to comment. I think @Himal's answer is spot on but I'd like to clarify that when it says code/SDK, we should think code or Language (Java/Ruby/Python) SDK v/s the gcloud SDK (which is also referred to as Cloud SDK). This confused me a bit because I had the same doubts

So, gcloud auth login -> Login to gcloud SDK

gcloud auth application-default login -> Login to any code running on the computer (language SDK's within an application)

There is also a give-away in the OAuth authentication screen in the browser windows that open up:

gcloud auth login asks you to choose an account to continue to give access to 'google cloud sdk'.

gcloud auth application-default login asks you to give access to google auth library instead.

gavenkoa
  • 45,285
  • 19
  • 251
  • 303
Devu
  • 381
  • 3
  • 15