When  you use the gcloud auth login command to provide your user credentials, it passes your human user credentials through to gcp.

The issue is that your human credentials may require to go through either SSO or MFA (or both) - which will block the CLI access. An alternative is to create a service account in the gcp console - and use solely that service account to authenticate to gcp.

You accomplish this by using the --impersonate-service-account flag or the auth/impersonate_service_account property to impersonate a service account.

gcloud auth login --impersonate-service-account=SERVICE_ACCOUNT_EMAILS

Potential downside of using impersonate service account

One drawback is that this access is short lived (60  minutes). you need to keep generating new access tokens each time.

export GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token --impersonate-service-account=<sa-name>.iam.gserviceaccount.com) cyou need to ke