gcloud auth print-identity-token

gcloud auth print-identity-token - print an identity token for the specified account
gcloud auth print-identity-token [ACCOUNT] [--audiences=AUDIENCES] [--include-email] [--include-license --token-format=TOKEN_FORMAT; default="standard"] [GCLOUD_WIDE_FLAG]
Print an identity token for the specified account.
To print identity tokens:
gcloud auth print-identity-token

To print identity token for account '[email protected]' whose audience is 'http://service-hash-uc.a.run.app', run:

gcloud auth print-identity-token [email protected] --audiences="http://service-hash-uc.a.run.app"

To print identity token for an impersonated service account '[email protected]' whose audience is 'http://service-hash-uc.a.run.app', run:

gcloud auth print-identity-token --impersonate-service-account="[email protected]" --audiences="http://service-hash-uc.a.run.app"

To print identity token of a Compute Engine instance, which includes project and instance details as well as license codes for images associated with the instance, run:

gcloud auth print-identity-token --token-format=full --include-license

To print identity token for an impersonated service account '[email protected]', which includes the email address of the service account, run:

gcloud auth print-identity-token --impersonate-service-account="[email protected]" --include-email
Account to print the identity token for. If not specified, the current active account will be used.
Intended recipient of the token. Currently, only one audience can be specified.
Specify whether or not service account email is included in the identity token. If specified, the token will contain 'email' and 'email_verified' claims. This flag should only be used for impersonate service account.
Parameters for Google Compute Engine instance identity tokens.
Specify whether or not license codes for images associated with this instance are included in the identity token payload. Default is False. This flag does not have effect unless --token-format=full.
--token-format=TOKEN_FORMAT; default="standard"
Specify whether or not the project and instance details are included in the identity token payload. This flag only applies to Google Compute Engine instance identity tokens. See http://cloud.go888ogle.com.fqhub.com/compute/docs/instances/verifying-instance-identity#token_format for more details on token format. TOKEN_FORMAT must be one of: standard, full.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

These variants are also available:
gcloud alpha auth print-identity-token
gcloud beta auth print-identity-token