---
title: gcp-login
url: /docs/esc/integrations/dynamic-login-credentials/gcp-login/
---
The `gcp-login` provider enables you to log in to Google Cloud using OpenID Connect or by providing static credentials. The provider will return a set of credentials that can be used to access Google Cloud resources or fetch secrets using the `gcp-secrets` provider.

## Example

### Basic configuration

```yaml
values:
  gcp:
    login:
      fn::open::gcp-login:
        project: 123456789
        oidc:
          workloadPoolId: pulumi-esc
          providerId: pulumi-esc
          serviceAccount: pulumi-esc@foo-bar-123456.iam.gserviceaccount.com
```

### Using outputs with Pulumi IaC and gcloud CLI

The `gcp-login` provider outputs credentials for use with both Pulumi's Google Cloud provider and the `gcloud` CLI. This example shows how to configure both:

```yaml
values:
  gcp:
    login:
      fn::open::gcp-login:
        project: 123456789
        oidc:
          workloadPoolId: pulumi-esc
          providerId: pulumi-esc
          serviceAccount: pulumi-esc@foo-bar-123456.iam.gserviceaccount.com
  pulumiConfig:
    gcp:project: ${gcp.login.project}
  environmentVariables:
    # The Google Cloud SDK (used by Pulumi's GCP provider) requires the project to be set by number
    GOOGLE_CLOUD_PROJECT: ${gcp.login.project}
    # The gcloud CLI requires the project to be set by name, and via a different env var
    # See: https://cloud.google.com/sdk/docs/properties#setting_properties_using_environment_variables
    CLOUDSDK_CORE_PROJECT: my-project-name
    # Provide OAuth access tokens to both the Google Cloud SDK and gcloud CLI
    GOOGLE_OAUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
    CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
```

Note that both `GOOGLE_CLOUD_PROJECT` (numeric project ID) and `CLOUDSDK_CORE_PROJECT` (project name) are set because the Google Cloud SDK and gcloud CLI have different requirements for project identification.

This configuration enables:
- **Pulumi IaC**: The `pulumiConfig` section sets the GCP project for Pulumi's Google Cloud provider.
- **gcloud CLI**: The `environmentVariables` section configures authentication for the `gcloud` command-line tool.

## Configuring OIDC

To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Google Cloud, see the [OpenID Connect integration](/docs/esc/guides/configuring-oidc/gcp/) documentation.

## Inputs

| Property      | Type                                        | Description                                                                      |
|---------------|---------------------------------------------|----------------------------------------------------------------------------------|
| `project`     | number                                      | The **numerical** ID of the GCP project, aka project number. (e.g. 951040570662) |
| `accessToken` | [GCPLoginAccessToken](#gcploginaccesstoken) | [Optional] Options for access token login.                                       |
| `oidc`        | [GCPLoginOIDC](#gcploginoidc)               | [Optional] Options for OIDC login.                                               |

### GCPLoginAccessToken

| Property         | Type   | Description                                                                                  |
|------------------|--------|----------------------------------------------------------------------------------------------|
| `accessToken`    | string | The token used to authenticate with Google Cloud.                                            |
| `serviceAccount` | string | [Optional] - The service account to impersonate, if any.                                     |
| `tokenLifetime`  | string | [Optional] - The lifetime of the temporary credentials when impersonating a service account. |

### GCPLoginOIDC

| Property         | Type   | Description                                                                |
|------------------|--------|----------------------------------------------------------------------------|
| `workloadPoolId` | string | The (short) ID of the workload pool to use.                                |
| `providerId`     | string | The (short) ID of the identity provider associated with the workload pool. |
| `serviceAccount` | string | The email address of the service account to use.                           |
| `region`         | string | [Optional] - The location of the Workload Identity Pool. For standard Workload Identity Pools, this should be `global` (the default). Only specify a regional value if you have explicitly created a regional Workload Identity Pool. |
| `tokenLifetime`  | string | [Optional] - The lifetime of the temporary credentials.                    |
| `subjectAttributes`  | string[] | [Optional] - Subject attributes to be included in the OIDC token. For more information see the [OpenID subject customization](/docs/esc/guides/configuring-oidc/#custom-token-claim) documentation |

> **Note:** If you encounter authentication errors with GCP OIDC, see the [GCP OIDC troubleshooting guide](/docs/esc/guides/configuring-oidc/gcp/#troubleshooting) for common issues and solutions.

## Outputs

| Property      | Type   | Description                                                                      |
|---------------|--------|----------------------------------------------------------------------------------|
| `project`     | string | The **numerical** ID of the GCP project, aka project number. (e.g. 951040570662) |
| `accessToken` | string | The access token used to authenticate with Google Cloud.                         |
| `tokenType`   | string | The type of the access token.                                                    |
| `expiry`      | string | [Optional] - The access token's expiry time.                                     |