If you are running your application outside of Google Cloud, you need to provide credentials that are recognized by Google Cloud to use Google Cloud services.
Workload Identity Federation
The preferred way to authenticate with Google Cloud using credentials from
an external IdP is to use Workload Identity Federation;
you create a credential configuration file and set the
GOOGLE_APPLICATION_CREDENTIALS environment variable to point to it. This
approach is more secure than creating a service account key.
For help with setting up Workload Identity Federation for ADC, see Workload Identity Federation with other clouds.
Service account key
If you are not able to configure Workload Identity Federation, then you must create a service account, grant it the IAM roles that your application requires, and create a key for the service account.
To create a service account key and make it available to ADC:
- Create a service account with the roles your application needs, and a key for that service account, by following the instructions in Creating a service account key.
-
Set the environment variable
GOOGLE_APPLICATION_CREDENTIALSto the path of the JSON file that contains your credentials. This variable applies only to your current shell session, so if you open a new session, set the variable again.
What's next
- Learn about Workload Identity Federation.
- Understand best practices for using service account keys.
- Learn more about how ADC finds credentials.
- Explore authentication methods.