45

What is the difference between gcloud auth application-default login vs gcloud auth login?

Despite the definitions below, it is still hard to differentiate them.

gcloud auth application-default login :

  • acquire new user credentials to use for Application Default Credentials

gcloud auth login :

  • authorize gcloud to access the Cloud Platform with Google user credentials

When should I use one over the other?

blong
  • 2,778
  • 7
  • 40
  • 103
Marshall An
  • 732
  • 2
  • 8
  • 13

2 Answers2

80

The difference is the use cases:

As a developer, I want to interact with GCP via gcloud.
gcloud auth login
This obtains your credentials and stores them in ~/.config/gcloud/. Now you can run gcloud commands from your terminal and it will find your credentials automatically. Any code/SDK will not automatically pick up your creds in this case.

Reference: https://cloud.google.com/sdk/gcloud/reference/auth/login

As a developer, I want my code to interact with GCP via SDK.
gcloud auth application-default login
This obtains your credentials via a web flow and stores them in 'the well-known location for Application Default Credentials'. Now any code/SDK you run will be able to find the credentials automatically. This is a good stand-in when you want to locally test code which would normally run on a server and use a server-side credentials file.

Reference: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login

Edit (09/19/2019):
As Kent contributed in his comment below, 'the well-known location for Application Default Credentials' is a file named application_default_credentials.json located in your local ~/.config/gcloud/ directory. I've added an additional link below to an article by Theodore Sui and Daniel De Leo which goes into greater detail about the different authentication methods.

Article: https://medium.com/google-cloud/local-remote-authentication-with-google-cloud-platform-afe3aa017b95

Himal
  • 2,332
  • 17
  • 17
  • 5
    As of gcloud 248.0.0, the "well-known" location for application-default is ~/.config/gcloud/application_default_credentials.json. – Kent May 31 '19 at 22:49
  • 1
    On Google Cloud SDK 319.0.0 on Windows it's putting my application default credentials in ~/AppData/Roaming/gcloud/application_default_credentials.json – Sam Svenbjorgchristiensensen Jan 20 '21 at 01:23
11

I'm adding this as an answer because I don't have the reputation to comment. I think @Himal's answer is spot on but I'd like to clarify that when it says code/SDK, we should think code or Language (Java/Ruby/Python) SDK v/s the gcloud SDK (which is also referred to as Cloud SDK). This confused me a bit because I had the same doubts

So, gcloud auth login -> Login to gcloud SDK

gcloud auth application-default login -> Login to any code running on the computer (language SDK's within an application)

There is also a give-away in the OAuth authentication screen in the browser windows that open up:

gcloud auth login asks you to choose an account to continue to give access to 'google cloud sdk'.

gcloud auth application-default login asks you to give access to google auth library instead.

gavenkoa
  • 41,371
  • 15
  • 229
  • 277
Devu
  • 301
  • 2
  • 13