Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://developers.google.com/identity/protocols/application-default-credentials below:

How Application Default Credentials works | Authentication

Stay organized with collections Save and categorize content based on your preferences.

This page describes the locations where Application Default Credentials (ADC) looks for credentials. Understanding how ADC works can help you understand which credentials ADC is using, and how it's finding them.

Application Default Credentials (ADC) is a strategy used by the authentication libraries to automatically find credentials based on the application environment. The authentication libraries make those credentials available to Cloud Client Libraries and Google API Client Libraries. When you use ADC, your code can run in either a development or production environment without changing how your application authenticates to Google Cloud services and APIs.

For information about how to provide credentials to ADC, including how to generate a local ADC file, see Set up Application Default Credentials.

ADC searches for credentials in the following locations:

1. GOOGLE_APPLICATION_CREDENTIALS environment variable
2. A credential file created by using the gcloud auth application-default login command
3. The attached service account, returned by the metadata server

The order of the locations ADC checks for credentials is not related to the relative merit of each location. For help with understanding the best ways to provide credentials to ADC, see Set up Application Default Credentials.

You can use the GOOGLE_APPLICATION_CREDENTIALS environment variable to provide the location of a credential JSON file. This JSON file can be one of the following types of files:

• A credential configuration file for Workforce Identity Federation

  Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize users to access Google Cloud resources. For more information, see Workforce Identity Federation in the Identity and Access Management (IAM) documentation.

• A credential configuration file for Workload Identity Federation

  Workload Identity Federation lets you use an external IdP to authenticate and authorize workloads to access Google Cloud resources. For more information, see Authenticating by using client libraries, the gcloud CLI, or Terraform in the Identity and Access Management (IAM) documentation.

• A service account key

  Service account keys create a security risk and are not recommended. Unlike the other credential file types, compromised service account keys can be used by a bad actor without any additional information. For more information, see Best practices for using and managing service account keys.

You can provide credentials to ADC by running the gcloud auth application-default login command. This command creates a JSON file containing the credentials you provide (either from your user account or from impersonating a service account) and places it in a well-known location on your file system. The location depends on your operating system:

• Linux, macOS: $HOME/.config/gcloud/application_default_credentials.json
• Windows: %APPDATA%\gcloud\application_default_credentials.json

The credentials you provide to ADC by using the gcloud CLI are distinct from your gcloud credentials—the credentials the gcloud CLI uses to authenticate to Google Cloud. For more information about these two sets of credentials, see gcloud CLI authentication configuration and ADC configuration .

By default, the access tokens generated from a local ADC file created with user credentials include the cloud-wide scope https://www.googleapis.com/auth/cloud-platform. To specify scopes explicitly, you use the –-scopes flag with the gcloud auth application-default login command.

To add scopes for services outside of Google Cloud, such as Google Drive, create an OAuth Client ID and provide it to the gcloud auth application-default login command by using the –-client-id-file flag, specifying your scopes with the -–scopes flag.

Many Google Cloud services let you attach a service account that can be used to provide credentials for accessing Google Cloud APIs. If ADC does not find credentials it can use in either the GOOGLE_APPLICATION_CREDENTIALS environment variable or the well-known location for local ADC credentials, it uses the metadata server to get credentials for the service where the code is running.

Using the credentials from the attached service account is the preferred method for finding credentials in a production environment on Google Cloud. To use the attached service account, follow these steps:

1. Create a user-managed service account.
2. Grant that service account the least privileged IAM roles possible.
3. Attach the service account to the resource where your code is running.

For help with creating a service account, see Creating and managing service accounts. For help with attaching a service account, see Attaching a service account to a resource. For help with determining the required IAM roles for your service account, see Choose predefined roles.

• Learn the best ways to provide credentials to ADC.
• Authenticate using the Cloud Client Libraries.
• Explore authentication methods.
• Learn about client libraries.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["Application Default Credentials (ADC) automatically locate credentials for your application based on its environment, allowing it to run in development or production without code changes."],["ADC prioritizes credential locations in a specific order: the `GOOGLE_APPLICATION_CREDENTIALS` environment variable, a file from the `gcloud auth application-default login` command, and lastly, an attached service account through the metadata server."],["The `GOOGLE_APPLICATION_CREDENTIALS` environment variable can point to credential files for Workforce Identity Federation, Workload Identity Federation, or a service account key, though service account keys are discouraged due to security risks."],["The `gcloud auth application-default login` command creates a local credential file, separate from gcloud CLI credentials, in a specific location that differs based on the operating system."],["Using an attached service account, accessible via the metadata server, is the recommended method for credentialing applications in a production Google Cloud environment."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4