Google Cloud외부에서 애플리케이션을 실행하는 경우 Google Cloud 에서 인식된 사용자 인증 정보를 제공하여 Google Cloud 서비스를 사용해야 합니다.
워크로드 아이덴티티 제휴
외부 IdP의 사용자 인증 정보를 사용하여 Google Cloud 에 인증하는 데 선호되는 방법은 워크로드 아이덴티티 제휴를 사용하는 것입니다. 사용자 인증 정보 구성 파일을 만들고 GOOGLE_APPLICATION_CREDENTIALS 환경 변수에서 이를 가리키도록 설정합니다. 이 방법은 서비스 계정 키를 만드는 것보다 안전합니다.
워크로드 아이덴티티 제휴를 구성할 수 없으면 서비스 계정을 만들고, 여기에 애플리케이션에 필요한 IAM 역할을 부여하고, 서비스 계정에 대해 키를 만들어야 합니다.
서비스 계정 키를 만들고 이를 ADC에 제공하려면 다음 안내를 따르세요.
서비스 계정 키 만들기의 안내에 따라 애플리케이션에 필요한 역할, 서비스 계정에 대한 키를 사용하여 서비스 계정을 만듭니다.
Set the environment variable GOOGLE_APPLICATION_CREDENTIALS
to the path of the JSON file that contains your credentials.
This variable applies only to your current shell session, so if you open
a new session, set the variable again.
Example: Linux or macOS
exportGOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
Replace KEY_PATH with the path of the JSON file that contains your credentials.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-08-25(UTC)"],[[["\u003cp\u003eIf running applications outside of Google Cloud, you need to provide credentials recognized by Google Cloud to access its services.\u003c/p\u003e\n"],["\u003cp\u003eWorkload Identity Federation is the recommended method for authenticating with Google Cloud using external credentials, as it is more secure than service account keys.\u003c/p\u003e\n"],["\u003cp\u003eIf Workload Identity Federation is not feasible, service account keys can be used, but they pose a security risk and should be avoided if possible.\u003c/p\u003e\n"],["\u003cp\u003eTo use service account keys, create a service account with the necessary roles, generate a key, and set the \u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e environment variable to the key file's path.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e environment variable directs Application Default Credentials (ADC) to the specified credential location, and it takes precedence over other credential locations.\u003c/p\u003e\n"]]],[],null,["If you are running your application outside of Google Cloud, you need to\nprovide credentials that are recognized by Google Cloud to\nuse Google Cloud services.\n\nWorkload Identity Federation\n\nThe preferred way to authenticate with Google Cloud using credentials from\nan external IdP is to use [Workload Identity Federation](/iam/docs/workload-identity-federation);\nyou create a credential configuration file and set the\n`GOOGLE_APPLICATION_CREDENTIALS` environment variable to point to it. This\napproach is more secure than creating a service account key.\n\nFor help with setting up Workload Identity Federation for ADC, see\n[Workload Identity Federation with other clouds](/iam/docs/workload-identity-federation-with-other-clouds).\n\nService account key\n\nIf you are not able to configure Workload Identity Federation, then you must\ncreate a service account, grant it the IAM roles that\nyour application requires, and create a key for the service account.\n\n\n| **Note:** Service account keys are a security risk if not managed correctly. You should [choose a more secure alternative to service account keys](/docs/authentication#auth-decision-tree) whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by [Best practices for managing service account keys](/iam/docs/best-practices-for-managing-service-account-keys). If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see [Managing secure-by-default organization resources](/resource-manager/docs/secure-by-default-organizations).\n|\n|\n| If you acquired the service account key from an external source, you must validate it before use.\n| For more information, see [Security requirements for externally sourced credentials](/docs/authentication/external/externally-sourced-credentials).\n\nTo create a service account key and make it available to ADC:\n\n1. Create a service account with the roles your application needs, and a key for that service account, by following the instructions in [Creating a service account key](/iam/docs/keys-create-delete#creating).\n2.\n Set the environment variable `GOOGLE_APPLICATION_CREDENTIALS`\n to the path of the JSON file that contains your credentials.\n This variable applies only to your current shell session, so if you open\n a new session, set the variable again.\n\n **Example:** Linux or macOS \n\n ```bash\n export GOOGLE_APPLICATION_CREDENTIALS=\"\u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e\"\n ```\n\n Replace \u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e with the path of the JSON file that contains your credentials.\n\n For example: \n\n ```bash\n export GOOGLE_APPLICATION_CREDENTIALS=\"/home/user/Downloads/service-account-file.json\"\n ```\n **Example:** Windows\n\n For PowerShell: \n\n ```bash\n $env:GOOGLE_APPLICATION_CREDENTIALS=\"\u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e\"\n ```\n\n Replace \u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e with the path of the JSON file that contains your credentials.\n\n For example: \n\n ```bash\n $env:GOOGLE_APPLICATION_CREDENTIALS=\"C:\\Users\\username\\Downloads\\service-account-file.json\"\n ```\n\n For command prompt: \n\n set GOOGLE_APPLICATION_CREDENTIALS=\u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e with the path of the JSON file that contains your credentials.\n| **Note:** When you set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable, ADC checks this location first, then checks other locations only if necessary.\n\n\u003cbr /\u003e\n\nWhat's next\n\n- Learn about [Workload Identity Federation](/iam/docs/workload-identity-federation).\n- Understand best practices for using [service account keys](/iam/docs/best-practices-for-managing-service-account-keys).\n- Learn more about [how ADC finds credentials](/docs/authentication/application-default-credentials).\n- Explore [authentication methods](/docs/authentication)."]]