This page describes some common problems you might encounter when using Application Default Credentials (ADC).
For information about how ADC works, including where credentials are found, see How Application Default Credentials works.
User credentials not working
If your API request returns an error message about user credentials not being supported by this API, the API not being enabled in the project, or no quota project being set, review the following information.
There are two kinds of Google Cloud APIs:
Resource-based APIs, which use the project associated with the resources being accessed for billing and quota.
Client-based APIs, which use the project associated with the client accessing the resources for billing and quota.
When you provide user credentials to authenticate to a client-based API, you must specify the project to use for billing and quota. This project is called the quota project.
There are a number of ways to specify a quota project, including the following options:
Update your ADC file to use a different project as the quota project:
gcloud auth application-default set-quota-project YOUR_PROJECT
If you are using the gcloud CLI to call the API, you can set your quota project in your gcloud CLI config:
gcloud config set billing/quota_project YOUR_PROJECT
If you are calling the REST or RPC API directly, use the
x-goog-user-project
HTTP header to specify a quota project in each request. For details, see Set the quota project with a REST request.
You must have the serviceusage.services.use
IAM permission for
a project to be able to designate it as your billing project. The
serviceusage.services.use
permission is included in the Service Usage Consumer
IAM role. If you don't have the serviceusage.services.use
permission for any project, contact your security administrator or a project
owner who can give you the Service Usage Consumer role in the project.
For more information about quota projects, see Quota project overview. For information about additional ways to set the quota project, see Set the quota project.
Incorrect credentials
If your credentials don't seem to be providing the access you expect, or aren't found, check the following:
If you are using the gcloud CLI to access Google Cloud in a local environment, make sure you understand which credentials you are using. When you use the gcloud CLI, you are using the credentials you provided to the gcloud CLI by using the
gcloud auth login
command. You are not using the credentials you provided to ADC. For more information about these two sets of credentials, see gcloud CLI authentication configuration and ADC configuration.Make sure that the
GOOGLE_APPLICATION_CREDENTIALS
environment variable is set only if you are using a service account key or other JSON file for ADC. The credentials pointed to by the environment variable take precedence over other credentials, including for Workload Identity Federation for GKE.Confirm that the principal making the request has the required IAM roles. If you are using user credentials, then the roles must be granted to the email address associated with the user account. If you are using a service account, then that service account must have the required roles.
If you provide an API key with the API request, the API key takes precedence over ADC in any location. If you have set the
GOOGLE_APPLICATION_CREDENTIALS
environment variable and you are using an API key, the API might return a warning telling you that the credentials you provided to ADC are being ignored. To stop the warning, unset theGOOGLE_APPLICATION_CREDENTIALS
environment variable.
Unrecognized credential type
If your API request returns an error that includes Error creating credential
from JSON. Unrecognized credential type
, make sure you are using a valid
credential. Client ID files are not supported to provide credentials for ADC.
Error returned for local credentials from service account impersonation
Credentials from a local ADC file generated by using service account
impersonation are not supported by all of the authentication libraries. If your
call returns an error similar to Neither metadata server or valid service
account credentials are found
, you can't use local impersonated credentials for
this task.
To avoid this error, create your ADC file from your user credentials or run your code in an environment that has a metadata server available (such as Compute Engine).
Access blocked when using scopes
When you attempt to create a local ADC file, and an error similar to This app
is blocked
or Access blocked: Authorization Error
is returned, you might be
attempting to use scopes that aren't supported by the
default ADC setup command. Typically, this issue is caused by
adding scopes for applications outside of Google Cloud, such as Google
Drive.
By default, the access tokens generated from a local ADC file created with user credentials include
the
cloud-wide scope https://www.googleapis.com/auth/cloud-platform
.
To specify scopes explicitly, you use the
–-scopes
flag
with the gcloud auth application-default login
command.
To add scopes for services outside of Google Cloud, such as Google Drive,
create an OAuth Client ID
and provide it to the gcloud auth application-default login
command by using the
–-client-id-file
flag, specifying
your scopes with the
-–scopes
flag.