Stay organized with collections Save and categorize content based on your preferences.
You can provide either your user credentials or service account credentials to ADC in a local development environment.
User credentialsWhen your code is running in a local development environment, such as a development workstation, the best option is to use the credentials associated with your user account.
How you configure ADC with your user account depends on whether your
user accountis managed by Google—in other words, it is a Google Account—or by another identity provider (IdP), and federated by using
Workforce Identity Federation.
Google AccountTo configure ADC with a Google Account, you use the Google Cloud CLI:
After installing the Google Cloud CLI, initialize it by running the following command:
gcloud init
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.
Note: To add scopes for services outside of Google Cloud, such as Google Drive, create an OAuth Client ID and provide it to thegcloud auth application-default login command by using the --client-id-file flag, specifying your scopes with the --scopes flag.
A sign-in screen appears. After you sign in, your credentials are stored in the local credential file used by ADC.
To configure ADC for a user account managed by an external IdP and federated with Workforce Identity Federation:
After installing the Google Cloud CLI, initialize it by running the following command:
gcloud init
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.
A sign-in screen appears. After you sign in, your credentials are stored in the local credential file used by ADC.
When you configure ADC with your user account, you should be aware of the following facts:
ADC configured with a user account might not work for some APIs without extra configuration steps. If you see an error message about the API not being enabled in the project, or that there is no quota project available, see User credentials not working.
The local ADC file contains your refresh token. Any user with access to your file system can use it to get a valid access token. If you no longer need these local credentials, you can revoke them by using the gcloud auth application-default revoke command.
Your local ADC file is associated with your user account, not your gcloud CLI configuration. Changing to a different gcloud CLI configuration might change the identity used by the gcloud CLI, but it does not affect your local ADC file or the ADC configuration.
You can configure ADC with credentials from a service account by using service account impersonation or by using a service account key.
Service account impersonationYou can use service account impersonation to set up a local Application Default Credentials (ADC) file. Client libraries that support impersonation can use those credentials automatically. Local ADC files created by using impersonation are supported in the following languages:
You must have the Service Account Token Creator (roles/iam.serviceAccountTokenCreator) IAM role on the service account you are impersonating. For more information, see Required roles.
Use service account impersonation to create a local ADC file:
gcloud auth application-default login --impersonate-service-account SERVICE_ACCT_EMAIL
You can now use client libraries using the supported languages the same way you would after setting up a local ADC file with user credentials. Credentials are automatically found by the authentication libraries. For more information, see Authenticate for using client libraries.
Credentials from a local ADC file generated by using service account impersonation are not supported by all of the authentication libraries. For more information, see Error returned for local credentials from service account impersonation.
Service account keysIf you cannot use a user account or service account impersonation for local development, you can use a service account key.
Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources.If you acquired the service account key from an external source, you must validate it before use. For more information, see Security requirements for externally sourced credentials.
To create a service account key and make it available to ADC:
Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the JSON file that contains your credentials. This variable applies only to your current shell session, so if you open a new session, set the variable again.
Example: Linux or macOS
export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
Replace KEY_PATH with the path of the JSON file that contains your credentials.
For example:
export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"
Example: Windows
For PowerShell:
$env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
Replace KEY_PATH with the path of the JSON file that contains your credentials.
For example:
$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"
For command prompt:
set GOOGLE_APPLICATION_CREDENTIALS=KEY_PATH
Replace KEY_PATH with the path of the JSON file that contains your credentials.
GOOGLE_APPLICATION_CREDENTIALS environment variable, ADC checks this location first, then checks other locations only if necessary.
Understand best practices for using service account keys.
Learn more about how ADC finds credentials.
Explore authentication methods.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["You can configure Application Default Credentials (ADC) in a local development environment using either user credentials or service account credentials."],["To use user credentials, initialize the Google Cloud CLI with `gcloud init` and create local authentication credentials with `gcloud auth application-default login`, unless using Cloud Shell."],["Service account impersonation can be used to create a local ADC file, but it requires the Service Account Token Creator role and is only supported in specific languages like C#, Go, Java, Node.js, and Python."],["Service account keys are an alternative to user accounts or service account impersonation, but they pose security risks and require setting the `GOOGLE_APPLICATION_CREDENTIALS` environment variable."],["When you set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable, it is checked first by ADC, and then other locations only if necessary."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4