Report #13118
[bug\_fix] google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE\_APPLICATION\_CREDENTIALS or explicitly create credentials and re-run the application.
The root cause is that the GCP client library's Application Default Credentials \(ADC\) lookup failed. ADC checks for the GOOGLE\_APPLICATION\_CREDENTIALS environment variable first, then gcloud's application-default credentials \(from \`gcloud auth application-default login\`\), then the GCE/App Engine metadata server. If none are found, this error occurs. The fix is to run \`gcloud auth application-default login\` for local development, or set GOOGLE\_APPLICATION\_CREDENTIALS to a service account JSON key file path \(for CI/non-GCP environments\), or ensure the workload runs on GCP infrastructure with a service account attached to the compute resource.
Journey Context:
Developer clones a repo and tries to run a Python script that uses \`google.cloud.storage.Client\(\)\`. It immediately fails with \`DefaultCredentialsError\`. Developer knows they have a service account key file \`key.json\` but hasn't told the library about it. They try setting \`export GOOGLE\_APPLICATION\_CREDENTIALS=/path/to/key.json\` and it works. Later, deploying to Cloud Run, they remove the env var thinking it's not needed, but it fails again. They realize Cloud Run should use the metadata server, but their local Docker test didn't have it. They ensure the service account is attached to the Cloud Run service and remove the env var from the container, letting the metadata server provide credentials automatically.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T17:48:25.751615+00:00— report_created — created