The Application Default Credentials are not available. They are available if running in Google Compute Engine.
Today in this article, we will cover below aspects,
Issue Description
The application gives below error when trying to access secured IAP resources in Google Cloud,
InvalidOperationException: The Application Default Credentials are not available. They are available if running in Google Compute Engine. Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
Google.Apis.Auth.OAuth2.DefaultCredentialProvider.CreateDefaultCredentialAsync()
Resolution
When the application runs inside a Google Cloud environment, It will have a default service account.
Default credentials will be available if your application is running in Google Compute Engine, Compute Engine, Google Kubernetes Engine, App Engine, Cloud Run, and Cloud Functions.
If the application is running in a Clouds or Local or New environment Google client libraries automatically try to find service account credentials using a library called Application Default Credentials (ADC).
Google client library tries to find the Service Account secured file in the below order as per googles IAP guidelines,
I – If GOOGLE_APPLICATION_CREDENTIALS is SET and it uses the Service account file path using the value associated with the above Environment variable GOOGLE_APPLICATION_CREDENTIALS
II – If GOOGLE_APPLICATION_CREDENTIALS is not SET then the following preferences are set,
- ADC uses a Service account file that is running the code.
- Else If a Service Account also does exist then ADC uses the default service account that Compute Engine, Google Kubernetes Engine, App Engine, and Cloud Functions provide.
The above error gets produce if any of the above criteria doesn’t works.
How to Debug Application Locally
You may want to Debug the Application locally on LocalHost.
If you already have a Service Account created then it applies to an application instead of an individual user. You need to authenticate a service account when while accessing your IAP-secured resources.
Please make sure to set Environment Variable GOOGLE_APPLICATION_CREDENTIALS with the secured key JSON file path.
Example
C#:
Environment.SetEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS", "secured-service-account.json");
Python:
import os os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = 'secured-service-account.json'
After adding the above user can debug locally from their machine and access or verify restricted or secured resources.
Did I miss anything else in these resolution steps?
Did the above steps resolve your issue? Please sound off your comments below!
Happy Coding !!
Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.
