GC-301e · Module 1
Authentication & Project Setup
4 min read
Gemini CLI's Google Cloud integration follows the Application Default Credentials (ADC) chain. When you authenticate with gcloud auth application-default login, a credential file is written to a well-known location (~/.config/gcloud/application_default_credentials.json). Gemini CLI's Google Cloud extensions, MCP servers, and shell commands all inherit these credentials automatically. No additional configuration is needed for local development.
Project selection determines which GCP project receives your API calls, deployments, and resource creation. The active project is set via gcloud config set project PROJECT_ID and persists across Gemini CLI sessions. For multi-project workflows — deploying to staging and production in the same session — use gcloud config configurations to create named profiles. Switch profiles within a Gemini session using shell commands: gcloud config configurations activate staging.
The credential chain matters in CI/CD. In GitHub Actions or Cloud Build, there is no browser for OAuth. Instead, use Workload Identity Federation (preferred) or a service account key file. Set GOOGLE_APPLICATION_CREDENTIALS to point at the key file, and every Google Cloud operation in the Gemini CLI session inherits those credentials. Workload Identity Federation is more secure — no key files to leak — and is the recommended approach for production pipelines.
# Local development — OAuth with your Google account
gcloud auth login
gcloud auth application-default login
gcloud config set project my-project-id
# Verify active credentials and project
gcloud auth list
gcloud config get-value project
# Multi-project setup with named configurations
gcloud config configurations create staging
gcloud config set project staging-project-id
gcloud config configurations create production
gcloud config set project production-project-id
# Switch in a Gemini session
# "Switch to the staging project and list Cloud Run services"
# Gemini runs: gcloud config configurations activate staging
# CI/CD — service account key (less preferred)
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
# CI/CD — Workload Identity Federation (preferred)
# Configured in GitHub Actions with google-github-actions/auth@v2