You can access Google Cloud products and services from your code using Cloud APIs. These Cloud APIs expose a simple JSON REST interface that you can call via client libraries.
This document describes how to enable Cloud APIs and add Cloud Client Libraries to your project.
Browsing Cloud APIs
To explore all available Google Cloud APIs within your IDE, follow these steps:
- Select Tools > Cloud Code > Add Cloud Libraries and Manage Cloud APIs.
- Expand the Google Cloud APIs explorer tree to view all available APIs. The explorer groups Cloud APIs by category. You can also look for a specific API using the Search APIs search bar.
- Click on an API to view more details, such as its status, language-specific installation instructions for its corresponding client libraries, and relevant documentation.

Enabling Cloud APIs
Additionally, you can quickly enable Cloud APIs for a project using the API details. To do so:
- Within the Cloud API details view, choose a Google Cloud project that you'd like to enable the Cloud API for.
- Click on the Enable API button.
Once the API has been enabled you'll see a message confirming this change.
Adding the Cloud Client Libraries
To add libraries to your project in IntelliJ:
For Java Maven projects
- Select Tools > Cloud Code > Add Cloud libraries and Manage Cloud APIs.
- Select your preferred library type from the choice of Google Cloud Client Library (recommended) or Java Spring GCP Library.
- In the Module drop-down menu, select the module that you want to add the library to.
- Click Add Maven Dependency to add BOM and client library to your project.
The Add Google Cloud Libraries dialog displays the supported libraries.

For all other projects
- Select Tools > Cloud Code > Add Cloud Libraries and Manage Cloud APIs.
- Install the API using the installation instructions listed on the API details page for your preferred language.
The Add Google Cloud Libraries dialog displays the supported libraries.

Setting up authentication
After you've enabled the required APIs and added the necessary client libraries, you need to configure your application in order for it to be successfully authenticated. Your configuration depends on your type of development and the platform you're running on.
Once you complete the relevant authentication steps, your application can authenticate and is ready to be deployed.
Local development
Local machine
- Cloud Code ensures you have your Application Default Credentials (ADC)
set, if you logged into Google Cloud via your IDE.
If you logged into Google Cloud outside your IDE (for example, via the gcloud command-line tool), you need to rungcloud auth login --update-adc
to set your ADC. This also lets Google Cloud client libraries find your ADC to authenticate with.
minikube
- Cloud Code ensures you have your Application Default Credentials (ADC)
set, if you logged into Google Cloud via your IDE.
If you logged into Google Cloud outside your IDE (for example, via the gcloud command-line tool), you need to rungcloud auth login --update-adc
to set your ADC. This also lets minikube find your ADC to authenticate with. - Start minikube with
minikube start --addons gcp-auth
. This mounts your ADC in your pods. For a detailed minikube auth guide for Google Cloud, refer to the minikube gcp-auth docs.
Other local K8s clusters
- Cloud Code ensures you have your Application Default Credentials (ADC)
set, if you logged into Google Cloud via your IDE.
If you logged into Google Cloud outside your IDE (for example, via the gcloud command-line tool), you need to rungcloud auth login --update-adc
to set your ADC. - Mount your local
gcloud
directory in your Kubernetes pods by editing the Pod specification in the Pod or Deployment manifests, so that the Google Cloud Client Libraries can find your credentials. Kubernetes pod configuration example:apiVersion: v1 kind: Pod metadata: name: my-app labels: name: my-app spec: containers: - name: my-app image: gcr.io/google-containers/busybox ports: - containerPort: 8080 volumeMounts: - mountPath: /root/.config/gcloud name: gcloud-volume volumes: - name: gcloud-volume hostPath: path: /path/to/home/.config/gcloud
Cloud Run
- Cloud Code ensures you have your Application Default Credentials (ADC)
set, if you logged into Google Cloud via your IDE.
If you logged into Google Cloud outside your IDE (for example, via the gcloud command-line tool), you need to rungcloud auth login --update-adc
to set your ADC. This also lets the Cloud Run local simulated environment find your ADC to authenticate with.
Remote development
Google Kubernetes Engine
Depending on the scope of your project, you can choose how you authenticate Google Cloud services on GKE:
- (Development only)
- Create a GKE cluster with the following settings:
- Ensure you're using the service account GKE uses by
default, the Compute Engine default service account, and that
Access scopes is set at Allow full access to
all Cloud APIs (both settings accessible within the Node Pools > Security section).
Since the Compute Engine service account is shared by all workloads deployed on your node, this method overprovisions permissions and should only be used for development. - Ensure Workload Identity is not enabled on your cluster (within the Cluster > Security section).
- Ensure you're using the service account GKE uses by
default, the Compute Engine default service account, and that
Access scopes is set at Allow full access to
all Cloud APIs (both settings accessible within the Node Pools > Security section).
- Assign the necessary roles to the Compute Engine default service account:
- If you're trying to access a secret, follow these Secret Manager-specific steps to set up the required roles on your service account.
- If the Compute Engine default service account is being used, the correct IAM roles may already be applied.
- The Understanding roles guide describes IAM role types and lists available predefined roles you can grant to identities.
- Create a GKE cluster with the following settings:
- (Recommended for production)
- Configure your GKE cluster and application with Workload Identity to authenticate Google Cloud services on GKE. This associates your Kubernetes service account with your Google service account.
- Configure your Kubernetes Deployment to reference the Kubernetes service
account by setting the
.spec.serviceAccountName
field in your Kubernetes Deployment YAML file.
If you're working on an app created from a Cloud Code template, this file is located under the kubernetes-manifests folder. - If the Google Cloud service you're trying to access requires additional
roles, grant them for the Google service account you're using to develop
your app:
- If you're trying to access a secret, follow these Secret Manager-specific steps to set up the required roles on your service account.
- The Understanding roles guide describes IAM role types and lists available predefined roles you can grant to identities.
Cloud Run
- Create a new unique service account for deploying your Cloud Run
application through the Service Accounts page. Ensure you select the same
project your secret is stored in.
Go to the Service Accounts page - If the Google Cloud service you're trying to access requires additional
roles, grant them for the Google service account you're using to develop
your app.
The Understanding roles guide describes IAM role types and lists available predefined roles you can grant to identities. - Add your service account to your deploy configuration.
To do so, navigate to your Cloud Run: Deploy run configuration, expand
the Advanced revision settings section, and fill in the Service Account
field with your service account.
Cloud Run
Depending on the scope of your project, you can choose how you authenticate Google Cloud services on GKE:
- (Development only)
- Create a GKE cluster with the following settings:
- Ensure you're using the service account GKE uses by
default, the Compute Engine default service account, and that
Access scopes is set at Allow full access to
all Cloud APIs (both settings accessible within the Node Pools > Security section).
Since the Compute Engine service account is shared by all workloads deployed on your node, this method overprovisions permissions and should only be used for development.
- Ensure Workload Identity is not enabled on your cluster (within the Cluster > Security section).
- Ensure you're using the service account GKE uses by
default, the Compute Engine default service account, and that
Access scopes is set at Allow full access to
all Cloud APIs (both settings accessible within the Node Pools > Security section).
- Assign the necessary roles to the Compute Engine default service account:
- If you're trying to access a secret, follow these Secret Manager-specific steps to set up the required roles on your service account.
- If the Compute Engine default service account is being used, the correct IAM roles may already be applied.
- The Understanding roles guide describes IAM role types and lists available predefined roles you can grant to identities.
- Create a GKE cluster with the following settings:
- (Recommended for production)
- Configure your GKE cluster and application with Workload Identity to authenticate Google Cloud services on GKE. This associates your Kubernetes service account with your Google service account.
- Add your Kubernetes service account to your deploy configuration.
To do so, navigate to your Cloud Run: Deploy run configuration, expand
the Advanced revision settings section, and fill in the Service Account
field with your Kubernetes service account.
- If the Google Cloud service you're trying to access requires additional
roles, grant them for the Google service account you're using to develop
your app:
- If you're trying to access a secret, follow these Secret Manager-specific steps to set up the required roles on your service account.
- The Understanding roles guide describes IAM role types and lists available predefined roles you can grant to identities.
Remote development with Secret Manager permissions enabled
If you're developing remotely, using a service account for authentication, and your application uses secrets, you need to complete a few more steps in addition to the remote development instructions. These steps assign your Google service account the role required to access a particular Secret Manager secret:
Open the Secret Manager panel and select the secret you want to access in your code.
Switch to the Permissions tab and configure your secret's permissions with the Edit Permission pencil icon. Clicking on the pencil icon launches the Secret Manager configuration page for that secret in your web browser.
Within the Info Panel in the Cloud Console, select Add member.
Assign your service account the Secret Manager Secret Accessor role.
Your service account now has permission to access this particular secret.