gemini-cli - 💡(How to fix) Fix Bug: OAuth login fails with 403 "Cloud Code Private API has not been used in project 276287556352" (Ignores GOOGLE_CLOUD_PROJECT) [1 participants]

When attempting to authenticate the CLI using gemini auth login (OAuth) with a Google account that has a Gemini Advanced/Pro subscription, the login flow completes in the browser, but the CLI immediately crashes with a 403 PERMISSION_DENIED error. The error states that the Cloud Code Private API is not enabled in project 276287556352. This is an internal Google "Ghost Project" (likely the project that owns the CLI's hardcoded OAuth 2.0 Client ID) rather than the user's actual Google Cloud Project. Furthermore, explicitly setting the GOOGLE_CLOUD_PROJECT environment variable does not resolve the issue, as the CLI appears to be failing to pass this variable as the x-goog-user-project quota header when communicating with the cloudcode-pa.googleapis.com endpoint. To Reproduce Steps to reproduce the behavior:

1. Ensure you have a Gemini Pro/Advanced subscription on your Google account.
2. Completely clear old credentials (rm -rf ~/.gemini, clear macOS keychain).
3. Export a valid GCP project: export GOOGLE_CLOUD_PROJECT="my-valid-gcp-project"
4. Run gemini auth login
5. Complete the browser sign-in.
6. The terminal returns the 403 Ghost Project error. Expected behavior The CLI should successfully authenticate. Because the account has a Gemini Pro consumer subscription, it should either bypass the GCP project quota requirement entirely, OR it should successfully read the GOOGLE_CLOUD_PROJECT environment variable and pass it in the x-goog-user-project header to the API gateway. Actual behavior The CLI throws the following error: Failed to sign in. Message: Cloud Code Private API has not been used in project 276287556352 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudcode-pa.googleapis.com/overview?project=276287556352 then retry. Environment details:

• OS: macOS (darwin)
• CLI Version: 0.38.2 and 0.39.1 (npm & Homebrew)
• Node Version: Insert your node version, e.g., v20.x.x
• Auth Method: oauth-personal Additional Context & Root Cause Analysis We did a deep dive into the bundled source code and found the following:

1. The API Key method (export GEMINI_API_KEY="...") works perfectly because it routes to generativelanguage.googleapis.com.
2. The OAuth method routes to cloudcode-pa.googleapis.com.
3. In the bundled source code (oauth2.ts / chunk-X5TOY4FB.js), the OAuth2Client is initialized, but when the backend entitlement check fails, the API Gateway demands a quota project.
4. The code fetching the credentials does not seem to accurately inject process.env.GOOGLE_CLOUD_PROJECT into the quotaProjectId / x-goog-user-project header for the loadCodeAssist request. Consequently, the API Gateway defaults to the project ID of the OAuth Client (276287556352), resulting in an immediate 403.