Report #87767
[bug\_fix] google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials
Run \`gcloud auth application-default login\` to generate local ADC credentials in \`~/.config/gcloud/application\_default\_credentials.json\`, or attach a service account to the compute resource \(GCE/Cloud Run/GKE\) and ensure the metadata server is reachable. The root cause is that the Google Cloud client library searches for credentials in a defined hierarchy \(env var, well-known file, metadata service\) and fails if none contain valid tokens.
Journey Context:
A developer writes a Python script using \`google-cloud-storage\` that runs perfectly on their local workstation where they previously executed \`gcloud auth login\`. They containerize the application using a distroless Docker image and deploy it to Cloud Run. The container crashes immediately with \`DefaultCredentialsError\`. They check the Dockerfile—no \`GOOGLE\_APPLICATION\_CREDENTIALS\` environment variable is set. They SSH into a test GCE VM and run the script, which works because the VM has a default service account attached, but Cloud Run does not automatically attach the developer's personal credentials. They realize that \`gcloud auth\` stores credentials in the user's home directory, which is not present in the container. They initially consider baking a service account JSON key into the image but recognize the security risk. Instead, they configure the Cloud Run service to use a specific service account via the \`--service-account\` flag, allowing the metadata server to provide an access token to the container without embedding keys. Alternatively, for local testing, they run \`gcloud auth application-default login\` to generate the ADC file that the library detects automatically.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T05:54:04.124913+00:00— report_created — created