google-cloud-platformgoogle-compute-engine

Google Compute Engine and ADC Application Default Credentials


On Google Compute Engine, are Google Application Default Credentials already present? Or is it necessary to add them as an environment variable?


Solution

  • For Compute Engine the default service account provides credentials if the environment variable GOOGLE_APPLICATION_CREDENTIALS is not specified.

    Google Cloud Application Default Credentials (ADC) are not credentials. ADC is a strategy to locate Google Cloud Service Account credentials.

    If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC will use the filename that the variable points to for service account credentials. This file is a Google Cloud Service Account credentials file in Json format. The previous P12 (PFX) certificates are deprecated.

    If the environment variable is not set, the default service account is used for credentials if the application running on Compute Engine, App Engine, Kubernetes Engine or Cloud Functions.

    If the previous two steps fail to find valid credentials, ADC will fail, and an error occurs.

    Here is an example in Python that will create (locate) credentials for Google Cloud Storage on Compute Engine. First the environment variable will be checked and if not set, the default Compute Engine service account credentials will be used.

    from google.auth import compute_engine
    from google.cloud import storage
    
    credentials = compute_engine.Credentials()
    client = storage.Client(credentials=credentials, project=project)
    

    I wrote several articles that cover Google Cloud credentials.