From 5de7188afe656be75d89afe7e48397ec3e521077 Mon Sep 17 00:00:00 2001 From: Thanatat Tamtan Date: Wed, 17 Jun 2026 12:56:49 +0700 Subject: [PATCH] cli: document Google Cloud service-account auth Show how to drive the CLI with a Google Cloud SA: put a SA access token (with the userinfo.email scope) in DEPLOYS_TOKEN; cross-link the API auth section. Co-Authored-By: Claude Opus 4.8 (1M context) --- content/automation/cli.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/content/automation/cli.md b/content/automation/cli.md index 5b5bace..f822b2d 100644 --- a/content/automation/cli.md +++ b/content/automation/cli.md @@ -23,7 +23,9 @@ chmod +x ./deploys && sudo mv ./deploys /usr/local/bin/ The CLI accepts authentication three ways, in this order of precedence: -1. **`DEPLOYS_TOKEN`** — a Bearer token. Useful for short-lived personal use. +1. **`DEPLOYS_TOKEN`** — a Bearer token. Useful for short-lived personal use, and + for a [Google Cloud service-account](/api/overview/#authentication) access + token (see below). 2. **`DEPLOYS_AUTH_USER` + `DEPLOYS_AUTH_PASS`** — a [service account](/access/service-accounts/) email and key, sent as HTTP Basic. The right choice for CI. 3. **Google default credentials**. If neither of the above is set, the CLI @@ -39,6 +41,17 @@ export DEPLOYS_AUTH_PASS=…the key… deploys me get ``` +To use a **Google Cloud service account**, put a SA access token in +`DEPLOYS_TOKEN`. The token must carry the `userinfo.email` scope, and the SA's +email must be granted the permissions you need — see +[Google Cloud service-account auth](/api/overview/#authentication). + +```bash +export DEPLOYS_TOKEN=$(gcloud auth print-access-token \ + --scopes=https://www.googleapis.com/auth/userinfo.email) +deploys me get +``` + ## Command shape ```text