Set up ADC for a local development environment

You can provide eitheryour user credentials orservice account credentials to ADC in a local developmentenvironment.

User credentials

When your code is running in a local development environment, such as adevelopment workstation, the best option is to use the credentials associatedwith youruser account.

How you configure ADC with your user account depends on whether youruser account is managed by Google—in other words, it is aGoogle Account—or by another identity provider (IdP), and federated byusingWorkforce Identity Federation.

Google Account

To configure ADC with a Google Account, you use the Google Cloud CLI:

  1. Install the Google Cloud CLI.

    If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  2. If you're using a local shell, then create local authentication credentials for your user account:

    gcloudauthapplication-defaultlogin

    You don't need to do this if you're using Cloud Shell.

    If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

    Note: To add scopes for services outside of Google Cloud, such as Google Drive,create an OAuth Client ID and provide it to thegcloud auth application-default login command by using the--client-id-file flag, specifying your scopes with the--scopes flag.

    A sign-in screen appears. After you sign in, your credentials are stored in the local credential file used by ADC.

External IdP

To configure ADC for a user account managed by an external IdP and federatedwithWorkforce Identity Federation:

  1. Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:

    gcloudinit

    If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  2. If you're using a local shell, then create local authentication credentials for your user account:

    gcloudauthapplication-defaultlogin

    You don't need to do this if you're using Cloud Shell.

    If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

    A sign-in screen appears. After you sign in, your credentials are stored in the local credential file used by ADC.

Tips for configuring ADC with your user credentials

When you configure ADC with your user account, you should be aware of thefollowing facts:

  • ADC configured with a user account might not work for some APIs without extraconfiguration steps. If you see an error message about the API not beingenabled in the project, or that there is no quota project available, seeUser credentials not working.

  • The local ADC file contains your refresh token. Any user with access to yourfile system can use it to get a valid access token. If you no longer needthese local credentials, you can revoke them by using thegcloud auth application-default revoke command.

  • Your local ADC file is associated with your user account, not yourgcloud CLI configuration. Changing to a differentgcloud CLI configuration might change the identity used by thegcloud CLI, but it does not affect your local ADC file or the ADCconfiguration.

Service account credentials

You can configure ADC with credentials from aservice account by using service account impersonation or byusing a service account key.

Service account impersonation

You can use service account impersonation to set up a local Application Default Credentials (ADC) file. Client libraries that support impersonation can use those credentials automatically. Local ADC files created by using impersonation are supported in the following languages:

  • C#
  • C++
  • Go
  • Java
  • Node.js
  • PHP
  • Python
  • Ruby
  • Rust

You must have the Service Account Token Creator (roles/iam.serviceAccountTokenCreator) IAM role on the service account you are impersonating. For more information, seeRequired roles.

Use service account impersonation to create a local ADC file:

gcloud auth application-default login --impersonate-service-accountSERVICE_ACCT_EMAIL

You can now use client libraries using the supported languages the same way you would after setting up a local ADC file with user credentials. Credentials are automatically found by the authentication libraries. For more information, seeAuthenticate for using client libraries.

Credentials from a local ADC file generated by using service account impersonation are not supported by all of the authentication libraries. For more information, see Error returned for local credentials from service account impersonation.

Service account keys

If you cannot use a user account or service account impersonation for localdevelopment, you can use a service account key.

Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keyswhenever possible. If you must authenticate with a service account key, you are responsible for thesecurity of the private key and for other operations described by Best practices for managing service account keys.If you are prevented from creating a service account key, service account key creation mightbe disabled for your organization. For more information, see Managing secure-by-default organization resources.

If you acquired the service account key from an external source, you must validate it before use.For more information, see Security requirements for externally sourced credentials.

To create a service account key and make it available to ADC:

  1. Create a service account with the roles your application needs, and a key for that service account, by following the instructions inCreating a service account key.

  2. Set the environment variableGOOGLE_APPLICATION_CREDENTIALS to the path of the JSON file that contains your credentials. This variable applies only to your current shell session, so if you open a new session, set the variable again.

    Example: Linux or macOS

    exportGOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

    ReplaceKEY_PATH with the path of the JSON file that contains your credentials.

    For example:

    exportGOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"

    Example: Windows

    For PowerShell:

    $env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

    ReplaceKEY_PATH with the path of the JSON file that contains your credentials.

    For example:

    $env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"

    For command prompt:

    setGOOGLE_APPLICATION_CREDENTIALS=KEY_PATH

    ReplaceKEY_PATH with the path of the JSON file that contains your credentials.

    3. Note: When you set theGOOGLE_APPLICATION_CREDENTIALS environment variable, ADC checks this location first, then checks other locations only if necessary.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.