Report #12377
[bug\_fix] Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential.
Run \`gcloud auth application-default login\` again to refresh the user token, or \(recommended for production\) set the GOOGLE\_APPLICATION\_CREDENTIALS environment variable to the path of a service account key JSON file, or ensure the GCE/Cloud Run service account has the appropriate roles so the metadata server provides valid tokens. Do not copy local ADC files into container images.
Journey Context:
A developer is using the Google Cloud Storage Python client in a Cloud Run service. Locally, they authenticated via 'gcloud auth application-default login' which wrote a refresh token to ~/.config/gcloud/application\_default\_credentials.json. They mistakenly copy this file into the Docker image. Initially it works, but 1 hour later \(when the access token expires\), all requests fail with 'Request had invalid authentication credentials'. The refresh token in the ADC file is for a user account, which requires a browser-based consent flow to refresh; it cannot be silently refreshed by the server-side library without user interaction. The developer realizes that on Cloud Run, they should rely on the attached service account via the metadata server, not a user credential file. They remove the copied ADC file from the image and ensure the Cloud Run service has a service account email specified \(not the default compute service account if it lacks permissions\). The client library now fetches valid access tokens from the metadata endpoint \(169.254.169.254\), which returns short-lived tokens that the library automatically refreshes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T15:48:57.361882+00:00— report_created — created