Report #11189
[bug\_fix] GCP DefaultCredentialsError: Could not automatically determine credentials
Unset the GOOGLE\_APPLICATION\_CREDENTIALS environment variable when running inside GCP \(GCE, Cloud Run, GKE\) to allow the client library to fetch tokens from the metadata server \(169.254.169.254\). For local development, run \`gcloud auth application-default login\`. Do not package JSON key files with deployments to GCP environments.
Journey Context:
A developer builds a Python service using \`google-cloud-storage\`. Locally, they set \`export GOOGLE\_APPLICATION\_CREDENTIALS=/home/user/key.json\` and the app works. They deploy to Cloud Run, but the container crashes with \`DefaultCredentialsError: File /home/user/key.json referenced by GOOGLE\_APPLICATION\_CREDENTIALS was not found\`. They realize the local path doesn't exist in the container. They consider adding the JSON key to the Docker image, which is a security anti-pattern. They then try to mount the key as a secret, which works but is unnecessary complexity. The root cause is a misunderstanding: in Cloud Run \(and GCE, GKE\), the metadata server provides a token for the attached Service Account automatically. By setting \`GOOGLE\_APPLICATION\_CREDENTIALS\`, they overrode this mechanism and forced the library to look for a file that doesn't exist. The fix is removing the env var from the Cloud Run service configuration \(\`gcloud run services update my-service --clear-env-vars\` or specifically removing GOOGLE\_APPLICATION\_CREDENTIALS\). The client library then successfully queries \`http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\` to get an access token.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T12:45:15.635924+00:00— report_created — created