Report #61266
[bug\_fix] DefaultCredentialsError: Could not automatically determine credentials
The root cause is that the Google Cloud Client Libraries use a strategy called Application Default Credentials \(ADC\) to find credentials automatically. ADC searches in a specific order: 1\) GOOGLE\_APPLICATION\_CREDENTIALS env var, 2\) well-known file created by gcloud auth application-default login, 3\) metadata server \(only on GCP\). If none of these sources are present, the client library throws DefaultCredentialsError. The fix is to establish credentials via one of these paths. For local development, run gcloud auth application-default login. For production outside GCP, set GOOGLE\_APPLICATION\_CREDENTIALS to the path of a downloaded service account JSON key file. For production on GCP, ensure the service is attached to a service account.
Journey Context:
A new developer joins a team and clones a Python backend repository that uses the google-cloud-storage library to upload files. They install requirements and run the Flask app locally. Upon attempting to upload a file, the app crashes with google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE\_APPLICATION\_CREDENTIALS or explicitly create credentials and re-run the application.. The developer is confused because they have the gcloud CLI installed. They check gcloud config list and see they are logged in. They search the error and learn the difference between gcloud auth login \(for CLI\) and gcloud auth application-default login \(for ADC used by libraries\). They run gcloud auth application-default login --project=my-project, which creates the JSON file at ~/.config/gcloud/application\_default\_credentials.json. They restart the Flask app and the upload succeeds.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T09:19:03.688957+00:00— report_created — created