This document describes how to authenticate to Pub/Sub programmatically.
For more information about Google Cloud authentication, see the authentication overview.
Pub/Sub supports programmatic access. How you authenticate to Pub/Sub depends on how you access the API. You can access the API in the following ways:
The Pub/Sub client libraries provide high-level language support for authenticating to Pub/Sub programmatically. Client libraries support Application Default Credentials (ADC); the libraries look for credentials in a set of defined locations and use those credentials to authenticate requests to the API. With ADC, you can make credentials available to your application in a variety of environments, such as local development or production, without needing to modify your application code.
To use ADC, you must first provide your credentials to ADC.
Google Cloud CLI
If your organization's security policies prevent user accounts from having the required
permissions, you can impersonate a service account, either by using the
or by using the
which affects only the command for which you use it.
For more information about using the gcloud CLI with Pub/Sub, see the gcloud CLI reference pages.
User credentials and ADC for Pub/Sub
One way to provide credentials to ADC is to use the gcloud CLI to insert your user credentials into a credential file. This file is placed on your local file system where ADC can find it; ADC then uses the provided user credentials to authenticate requests. This method is often used for local development.
If you use this method, you might encounter an authentication error when you try to authenticate to Pub/Sub. For more information about this error and how to address it, see User credentials not working.
Access control in Pub/Sub
- Learn more about Google Cloud authentication.
- See a list of authentication use cases.
- Learn more about Pub/Sub OAuth 2.0 scopes.