Stay organized with collections Save and categorize content based on your preferences.
This page describes some common problems you might encounter when using Application Default Credentials (ADC).
For information about how ADC works, including where credentials are found, see How Application Default Credentials works.
User credentials not workingIf your API request returns an error message about user credentials not being supported by this API, the API not being enabled in the project, or no quota project being set, review the following information.
There are two kinds of Google Cloud APIs:
Resource-based APIs, which use the project associated with the resources being accessed for billing and quota.
Client-based APIs, which use the project associated with the client accessing the resources for billing and quota.
When you provide user credentials to authenticate to a client-based API, you must specify the project to use for billing and quota. This project is called the quota project.
There are a number of ways to specify a quota project, including the following options:
Update your ADC file to use a different project as the quota project:
gcloud auth application-default set-quota-project YOUR_PROJECT
If you are using the gcloud CLI to call the API, you can set your quota project in your gcloud CLI config:
gcloud config set billing/quota_project YOUR_PROJECT
If you are calling the REST or RPC API directly, use the x-goog-user-project HTTP header to specify a quota project in each request. For details, see Set the quota project with a REST request.
You must have the serviceusage.services.use IAM permission for a project to be able to designate it as your billing project. The serviceusage.services.use permission is included in the Service Usage Consumer IAM role. If you don't have the serviceusage.services.use permission for any project, contact your security administrator or a project owner who can give you the Service Usage Consumer role in the project.
For more information about quota projects, see Quota project overview. For information about additional ways to set the quota project, see Set the quota project.
Incorrect credentialsIf your credentials don't seem to be providing the access you expect, or aren't found, check the following:
If you are using the gcloud CLI to access Google Cloud in a local environment, make sure you understand which credentials you are using. When you use the gcloud CLI, you are using the credentials you provided to the gcloud CLI by using the gcloud auth login command. You are not using the credentials you provided to ADC. For more information about these two sets of credentials, see gcloud CLI authentication configuration and ADC configuration.
Make sure that the GOOGLE_APPLICATION_CREDENTIALS environment variable is set only if you are using a service account key or other JSON file for ADC. The credentials pointed to by the environment variable take precedence over other credentials, including for Workload Identity Federation for GKE.
Confirm that the principal making the request has the required IAM roles. If you are using user credentials, then the roles must be granted to the email address associated with the user account. If you are using a service account, then that service account must have the required roles.
If you provide an API key with the API request, the API key takes precedence over ADC in any location. If you have set the GOOGLE_APPLICATION_CREDENTIALS environment variable and you are using an API key, the API might return a warning telling you that the credentials you provided to ADC are being ignored. To stop the warning, unset the GOOGLE_APPLICATION_CREDENTIALS environment variable.
If your API request returns an error that includes Error creating credential from JSON. Unrecognized credential type, make sure you are using a valid credential. Client ID files are not supported to provide credentials for ADC.
Credentials from a local ADC file generated by using service account impersonation are not supported by all of the authentication libraries. If your call returns an error similar to Neither metadata server or valid service account credentials are found, you can't use local impersonated credentials for this task.
To avoid this error, create your ADC file from your user credentials or run your code in an environment that has a metadata server available (such as Compute Engine).
Unknown project764086051850 used for request
Project 764086051850 is the project used by the gcloud CLI. If you see authentication errors referencing this project, you are trying to use a client-based API and you have not set both your project and your quota project for your configuration.
For more information, see User credentials not working.
Access blocked when using scopesWhen you attempt to create a local ADC file, and an error similar to This app is blocked or Access blocked: Authorization Error is returned, you might be attempting to use scopes that aren't supported by the default ADC setup command. Typically, this issue is caused by adding scopes for applications outside of Google Cloud, such as Google Drive.
By default, the access tokens generated from a local ADC file created with user credentials include the cloud-wide scope https://www.googleapis.com/auth/cloud-platform. To specify scopes explicitly, you use the –-scopes flag with the gcloud auth application-default login command.
To add scopes for services outside of Google Cloud, such as Google Drive, create an OAuth Client ID and provide it to the gcloud auth application-default login command by using the –-client-id-file flag, specifying your scopes with the -–scopes flag.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["This page covers common issues encountered when using Application Default Credentials (ADC), including problems with user credentials, incorrect credentials, unrecognized credential types, errors with service account impersonation, quota project issues, and access blocked by scopes."],["When using client-based APIs with user credentials, a quota project must be specified for billing and quota purposes; this can be set through the ADC file, the gcloud CLI config, or the `x-goog-user-project` HTTP header."],["If user credentials are not working, ensure that the API is enabled in the specified project, and that the user has the `serviceusage.services.use` IAM permission or the Service Usage Consumer role."],["When troubleshooting credential access problems, confirm that the correct credentials are being used, the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is set appropriately, the requesting principal has the required IAM roles, and that an API key isn't overriding ADC."],["If you receive an \"Access blocked\" error when creating a local ADC file, check if you're using scopes unsupported by the default ADC setup, and if necessary, use an OAuth Client ID to add scopes for non-Google Cloud services."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4