Choose a workload authentication method

This document describes how you authenticate to Google APIs for apps or workloads that are either running in a production environment on Compute Engine, or being tested locally for future deployment to the production environment.

Task Method
Authenticate apps or workloads that are in production Use the service account that is attached to the VM.

This is the most common method for authenticating apps and workloads that are running on virtual machine (VM) instances on Google Cloud. For detailed instructions, see Authenticate workloads using service accounts.
Authenticate apps or workloads that are in development Use Google Cloud SDK and Application Default Credentials. For more information, see Local development environment.
Authorizing apps and workloads that need access to end-user resources If you are building development or administration tools where users grant you access to their Google Cloud resources, get your application access to user resources by using OAuth 2.0. For detailed instructions, see Using OAuth 2.0 for Web Server Applications.

In your request, specify an access scope that limits your access to only the methods and user information that your application requires. For a full list of services and required scopes across Google Cloud, see OAuth 2.0 Scopes for Google APIs.

What's next