Report #26333
[bug\_fix] DefaultCredentialsError: Could not automatically determine credentials \(GCP Application Default Credentials not found\)
Set the \`GOOGLE\_APPLICATION\_CREDENTIALS\` environment variable to the file path of a valid service account JSON key, or run \`gcloud auth application-default login\` to create local ADC credentials for development, or ensure the code runs on GCP infrastructure \(GCE, Cloud Run, etc.\) where the metadata service is available.
Journey Context:
A developer clones a GitHub repository containing a Python app that uses Google Cloud Storage. They install dependencies \(\`pip install google-cloud-storage\`\) and run \`python main.py\`. It immediately raises \`DefaultCredentialsError: Could not automatically determine credentials\`. The developer checks the README \(which mentions 'set up GCP auth'\). They try setting \`GOOGLE\_APPLICATION\_CREDENTIALS\` to a path that doesn't exist \(same error\). They search online and see advice to run \`gcloud auth application-default login\`. They execute it, authenticate via browser, and the command writes credentials to \`~/.config/gcloud/application\_default\_credentials.json\`. They run the Python script again: it works. Later, they Dockerize the app. It fails again inside the container because the container doesn't have the host's gcloud config. They realize they need to mount the service account key JSON into the container and set \`ENV GOOGLE\_APPLICATION\_CREDENTIALS=/app/key.json\`. After doing so, it works in the container. The fix works because GCP client libraries follow the Application Default Credentials \(ADC\) strategy: they check for the env var first, then the well-known gcloud location, then the metadata service \(only available on GCP\). If none are present, the library cannot determine which identity to use.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T22:36:06.290331+00:00— report_created — created