In general, the google-cloud-storage library usesServiceAccountcredentials to connect to Google Cloud services. When running on Google CloudPlatform (GCP), including Google Compute Engine (GCE), Google Kubernetes Engine(GKE), Google App Engine (GAE), Google Cloud Functions (GCF) and Cloud Run,the credentials will be discovered automatically. When running on otherenvironments, the Service Account credentials can be specified by providing thepath to theJSONkeyfile forthe account (or the JSON itself) in environment variables. Additionally, CloudSDK credentials can also be discovered automatically, but this is onlyrecommended during development.

Project and Credential Lookup

The google-cloud-storage library aims to make authentication as simple aspossible, and provides several mechanisms to configure your system withoutprovidingProject ID andService Account Credentials directly in code.

Project ID is discovered in the following order:

1. Specify project ID in method arguments
2. Specify project ID in configuration
3. Discover project ID in environment variables
4. Discover GCE project ID

Credentials are discovered in the following order:

1. Specify credentials in method arguments
2. Specify credentials in configuration
3. Discover credentials path in environment variables
4. Discover credentials JSON in environment variables
5. Discover credentials file in the Cloud SDK's path
6. Discover GCE credentials

Google Cloud Platform environments

When running on Google Cloud Platform (GCP), including Google Compute Engine (GCE),Google Kubernetes Engine (GKE), Google App Engine (GAE), Google Cloud Functions(GCF) and Cloud Run, theProject ID andCredentials and are discoveredautomatically. Code should be written as if already authenticated.

Environment Variables

TheProject ID andCredentials JSON can be placed in environmentvariables instead of declaring them directly in code. Each service has its ownenvironment variable, allowing for different service accounts to be used fordifferent services. (See the READMEs for the individual service gems fordetails.) The path to theCredentials JSON file can be stored in theenvironment variable, or theCredentials JSON itself can be stored forenvironments such as Docker containers where writing files is difficult or notencouraged.

The environment variables that Storage checks for project ID are:

1. STORAGE_PROJECT
2. GOOGLE_CLOUD_PROJECT

The environment variables that Storage checks for credentials are configured onGoogle::Cloud::Storage::Credentials:

1. STORAGE_CREDENTIALS - Path to JSON file, or JSON contents
2. STORAGE_KEYFILE - Path to JSON file, or JSON contents
3. GOOGLE_CLOUD_CREDENTIALS - Path to JSON file, or JSON contents
4. GOOGLE_CLOUD_KEYFILE - Path to JSON file, or JSON contents
5. GOOGLE_APPLICATION_CREDENTIALS - Path to JSON file

require"google/cloud/storage"ENV["STORAGE_PROJECT"]="my-project-id"ENV["STORAGE_CREDENTIALS"]="path/to/keyfile.json"storage=Google::Cloud::Storage.new

Configuration

TheProject ID and the path to theCredentials JSON file can be configuredinstead of placing them in environment variables or providing them as arguments.

require"googleauth"require"google/cloud/storage"credentials=::Google::Auth::ServiceAccountCredentials.make_creds(json_key_io:::File.open("/path/to/keyfile.json"),scope:"https://www.googleapis.com/auth/devstorage.full_control")Google::Cloud::Storage.configuredo|config|config.project_id="my-project-id"config.credentials=credentialsendstorage=Google::Cloud::Storage.new

Cloud SDK

This option allows for an easy way to authenticate during development. Ifcredentials are not provided in code or in environment variables, then Cloud SDKcredentials are discovered.

To configure your system for this, simply:

1. Download and install the Cloud SDK
2. Authenticate using OAuth 2.0$ gcloud auth login
3. Write code as if already authenticated.

NOTE: The use of Cloud SDK credentials isnot recommended for running inproduction. The Cloud SDKshould only be used during development.

NOTE: The use of Cloud SDK credentials may not support certain methods such asthose that producesigned URLs andpost objects. For these methods, authentication using a service account JSON key fileis required.

Creating a Service Account

Google Cloud requires aProject ID andService Account Credentials toconnect to the APIs. You will use theProject ID andJSON key file toconnect to most services with google-cloud-storage.

If you are not running this client on Google Compute Engine, you need a GoogleDevelopers service account.

1. Visit theGoogle Cloud Console.
2. Create a new project or click on an existing project.

3. Activate the menu in the upper left and selectAPIs & Services. Fromhere, you will enable the APIs that your application requires.

   Note: You may need to enable billing in order to use these services.

4. SelectCredentials from the side navigation.

   Find the "Create credentials" drop down near the top of the page, and select"Service account" to be guided through downloading a new JSON key file.

   If you want to re-use an existing service account, you can easily generate a new key file. Just select the account you wish to re-use click the penciltool on the right side to edit the service account, select theKeys tab,and then selectAdd Key.

   The key file you download will be used by this library to authenticate APIrequests and should be stored in a secure location.

Troubleshooting

If you're having trouble authenticating you can ask for help by following theTroubleshooting Guide.