Authorizing client libraries without access to a web browser - gcloud auth application-default login

Asked 21/3, 2022 at 17:30 Answered 28/4, 2023 at 11:58

Solved docker google-cloud-platform gcloud google-authentication google-cloud-sdk

When I use to run either command: gcloud auth application-default login OR for a specific docker container docker exec -it 822c4c491383 /home/astro/google-cloud-sdk/bin/gcloud auth application-default login.

My command line would give me a link to a google response page where I'd copy the code they gave me and write it in the command line.

For some reason now, whenever I try to do either command I'm getting the follow error, saying I don't have access to web browser.

You are authorizing client libraries without access to a web browser. Please run the following command on a machine with a web browser and copy its output back here. Make sure the installed gcloud version is 372.0.0 or newer.

gcloud auth application-default login --remote-bootstrap="https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=FmMFY6gvpOa9xndMXmWiNG3W1jDrCe&access_type=offline&code_challenge=zUI4n_pnYE5V7p0diDQLmL0X0Sk8XpTDzhz_vwtukOo&code_challenge_method=S256&token_usage=remote"

I've tried copying the link that's inside of this and place it in my web browser but I get a page saying.

Error 400: invalid request Missing required parameter: redirect uri

Edit: Though not sure why this is happening now, I added the option "--no-launch-browser" to the end of both commands and it gives me the link to place in my browser now manually and copy code.

Shelving answered 21/3, 2022 at 17:30 Comment(2)

Also had this problem for the first time today. Has always worked for me in the past. Your suggestion of --no-launch-browser restored the usual behaviour. – Interlaminate 22/3, 2022 at 23:16

what is your version of wsl and gcloud? – Minardi 30/3, 2022 at 19:37

On versions of gcloud >= 383.0.0 (26 Apr 2022), Google have removed support for the --console-only and --no-launch-browser flags on their CLI. As far as I can see, they do not give a reason for this, but it is likely security related.

The new intended method for authenticating on a machine without a web browser, is to use the --no-browser flag and copy the command it gives you onto a machine that has both gcloud >= 372.0 and a web browser installed. In other words, it is no longer possible to do this purely on a machine with no browser. See the following steps copied directly from their documentation:

Follow these steps:

Copy the long command that begins with gcloud auth login --remote-bootstrap=".

Paste and run this command on the command line of a different, trusted machine that has local installations of both a web browser and the gcloud CLI version 372.0 or later.

Copy the long URL output from the machine with the web browser.

Paste the long URL back to the first machine under the prompt, Enter the output of the above command, and press Enter to complete the authorization.

Interlaminate answered 25/4, 2022 at 9:43 Comment(4)

I've tried unfortunately in point 4, after i copied the output it didn't return any browser on localhost:8085 or further steps ? Is there any other way? – Coessential 28/5, 2022 at 2:56

Thanks, it's worked. Click Enter after the output command. – Coessential 28/5, 2022 at 4:45

This worked for me! Though after you complete step 2 and executing the command pops up a browser page, you should log in as requested. Once you are logged in, THEN go on to step 3. The "URL output" mentioned in step 3 is the one outputted on your command line upon executing command. e.g. https://localhost:8085/?state=aWMLYPMWxafW9m2DBcbznXmDvZM9YD&code=4/0A ... – Dehypnotize 27/7, 2022 at 15:26

I am very new to Google Cloud. Step 2 above says "run this command on the command line of a different, trusted machine that has local installations of both a web browser and the gcloud CLI version 372.0 or later." How do I create such an instance from the VM instances page. The only option I have under connect is SSH? TIA – Stonwin 11/8, 2022 at 15:59

Use gcloud init --console-only

Dorrie answered 22/4, 2022 at 22:49 Comment(1)

This works for now, but is not a permanent solution. Using this flag results in the following message being printed:

The '--console-only/--no-launch-browser' are deprecated and will be removed in future updates. Use '--no-browser' as a replacement.

However, the --no-browser flag is not useful if the user does not have access to a machine with gcloud and a browser - for example, a user that uses a headless remote development machine. – Interlaminate 25/4, 2022 at 9:4

"--console-only" below still works even though it's deprecated:

gcloud init --console-only

And "--no-launch-browser" below still works even though it's deprecated:

gcloud init --no-launch-browser

"--no-browser" below doesn't work yet but "--no-browser" will replace "--console-only" and "--no-launch-browser" so in the future, "--no-browser" will work while "--console-only" and "--no-launch-browser" won't work in the future:

gcloud init --no-browser

Erminois answered 29/4, 2022 at 14:37 Comment(0)

Authorize with a service account To authorize using a service account:

Go to the Service Accounts page in the Google Cloud console.

Go to Service Accounts

Choose an existing account or create a new account by clicking Create service account.
To create service account keys, see the IAM instructions to Create a service account key.
To activate your service account, run gcloud auth login with the --cred-file flag:

gcloud auth login --cred-file=CONFIGURATION_OR_KEY_FILE

Replace CONFIGURATION_OR_KEY_FILE with the path to one of the following:

A credential configuration file for workload identity federation
A service account key file

Zsazsa answered 28/4, 2023 at 11:58 Comment(0)

Because the redirect uri does not contain the whole URL, this can happen. This can be fixed by adjusting the Custom URL Base.

The result will look like this: https://my_company_artifactory:444/artifactory

You should also double-check that the Custom URL Base and /api/oauth2/loginResponse are included in your Google OAuth settings page's Authorized redirect URIs.

Reviewing for more information, you can add your localhost URL to the redirect URL, it would say it's not possible at this time. When setting the redirect URL before hitting the create button, it accepts it just fine.

Undertaking answered 23/3, 2022 at 22:41 Comment(0)

Recommended topics

Hot tags