Authenticate and setup API access within a workstation
Stay organized with collectionsSave and categorize content based on your preferences.
This document describes how to authenticate and set up API access within a
workstation.
For general information about Google Cloud authentication, see theauthentication overview.
Authenticate as a user with Google Cloud CLI
After you launch Cloud Workstations, you can access Google Cloud services and the API using
your user accounts through thegcloudCLI.
Open a terminal in your workstation. The way you open a terminal window depends on theIDE that you're using.
For example, if you're using the Cloud Workstations base editor, open a
terminal by selectingTerminal>New Terminal, or by pressingControl+Shift+`.
Authenticate with the following command:
gcloud auth login --no-launch-browser
Follow the instructions provided by the command to authenticate to Google Cloud.
Specify your Google Cloud project ID with the following command:
gcloud config set projectPROJECT_ID
Enable Application Default Credentials to allow you to call Google Cloud services.
gcloud auth application-default login
YourgcloudCLI credentials are now saved and available when you use your workstation in
future sessions.
Issue an HTTP request to a workstation
To issue an HTTP request to a workstation, you need an access token for
an account that has theCloud Workstations Userrole on that workstation:
Add an HTTP header namedAuthorizationwith the valueBearer $TOKEN.
Connect to the workstation in your browser
Opening your workstation URL in your browser automatically authenticates
through a redirect to the workstations server, and retrieves an access
token generated by thegenerateAccessTokenAPI method. This redirects back to your workstation and sets an
authentication cookie that is valid for your current workstation session.
To skip this redirect, use the_workstationAccessTokenURL
parameter:
Open your workstation URL in the browser and append a URL parameter
with the following form:_workstationAccessToken=TOKEN.
This sets an authentication cookie in your browser that allows access for
your current workstation session. Skipping the redirect can be helpful
when access to the workstation server is blocked by network policies, or
when using iframes to display the workstation in other sites.
Impersonate a service account
If your organization's security policies prevent user accounts from having the required
permissions, you can also impersonate a service account. To impersonate theservice accountspecified on your workstation configuration, you can specify theservice account scopesfield.
When specified, users of workstations under this
configuration must haveiam.serviceAccounts.actAspermission on the service
account. For more information on specifying scopes for the service account, seeAccess scopes.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["This document describes how to authenticate and set up API access within a\nworkstation.\nFor general information about Google Cloud authentication, see the\n[authentication overview](/docs/authentication).\n\nAuthenticate as a user with Google Cloud CLI\n\n\nAfter you launch Cloud Workstations, you can access Google Cloud services and the API using\nyour user accounts through the `gcloud` CLI.\n\n1. Open a terminal in your workstation. The way you open a terminal window depends on the [IDE that you're using](/workstations/docs/preconfigured-ides). For example, if you're using the Cloud Workstations base editor, open a terminal by selecting **Terminal** \\\u003e **New Terminal** , or by pressing \u003ckbd\u003eControl+Shift+`\u003c/kbd\u003e.\n2. Authenticate with the following command: \n\n ```\n gcloud auth login --no-launch-browser\n ```\n3. Follow the instructions provided by the command to authenticate to Google Cloud.\n4. Specify your Google Cloud project ID with the following command: \n\n ```\n gcloud config set project PROJECT_ID\n ```\n5. Enable Application Default Credentials to allow you to call Google Cloud services. \n\n ```\n gcloud auth application-default login\n ```\n6. Your `gcloud` CLI credentials are now saved and available when you use your workstation in future sessions.\n\nIssue an HTTP request to a workstation\n\nTo issue an HTTP request to a workstation, you need an access token for\nan account that has the [Cloud Workstations User](/workstations/docs/access-control#workstations-user)\nrole on that workstation:\n\n1. Generate an access token using the [generateAccessToken](/workstations/docs/reference/rest/v1/projects.locations.workstationClusters.workstationConfigs.workstations/generateAccessToken) API method.\n2. Add an HTTP header named `Authorization` with the value `Bearer $TOKEN`.\n\n| **Note:** Once generated, the access token is valid for the expiration time of the token and cannot be revoked.\n\nConnect to the workstation in your browser\n\nOpening your workstation URL in your browser automatically authenticates\nthrough a redirect to the workstations server, and retrieves an access\ntoken generated by the\n[generateAccessToken](/workstations/docs/reference/rest/v1/projects.locations.workstationClusters.workstationConfigs.workstations/generateAccessToken)\nAPI method. This redirects back to your workstation and sets an\nauthentication cookie that is valid for your current workstation session.\n\nTo skip this redirect, use the `_workstationAccessToken` URL\nparameter:\n\n1. Generate an access token using the [generateAccessToken](/workstations/docs/reference/rest/v1/projects.locations.workstationClusters.workstationConfigs.workstations/generateAccessToken) API method.\n2. Open your workstation URL in the browser and append a URL parameter with the following form: `_workstationAccessToken=`\u003cvar translate=\"no\"\u003eTOKEN\u003c/var\u003e.\n\nThis sets an authentication cookie in your browser that allows access for\nyour current workstation session. Skipping the redirect can be helpful\nwhen access to the workstation server is blocked by network policies, or\nwhen using iframes to display the workstation in other sites.\n\nImpersonate a service account\n\n\nIf your organization's security policies prevent user accounts from having the required\npermissions, you can also impersonate a service account. To impersonate the\n[service account](/workstations/docs/reference/rest/v1/projects.locations.workstationClusters.workstationConfigs#GceInstance.FIELDS.service_account) specified on your workstation configuration, you can specify the\n[service account scopes](/workstations/docs/reference/rest/v1/projects.locations.workstationClusters.workstationConfigs#GceInstance.FIELDS.service_account_scopes) field.\n\n```\n gcloud workstations configs create CONFIG \\\n --cluster=CLUSTER \\\n --region=REGION \\\n --project=PROJECT \\\n --service-account=SERVICE_ACCOUNT \\\n --service-account-scopes=https://www.googleapis.com/auth/cloud-platform\n \n```\nWhen specified, users of workstations under this configuration must have `iam.serviceAccounts.actAs` permission on the service account. For more information on specifying scopes for the service account, see [Access scopes](/compute/docs/access/service-accounts#accesscopesiam).\n\n\u003cbr /\u003e\n\nWhat's next\n\n- Learn more about [SSH support](/workstations/docs/ssh-support).\n- See a list of [workstation configuration parameters](/workstations/docs/customize-development-environment).\n- [Access control with Identity and Access Management](/workstations/docs/access-control) and Cloud Workstations"]]
