Authenticate workloads to Google Cloud APIs using service accounts

This page describes how to use service accounts to enable apps running onyour virtual machine (VM) instances to authenticate to Google Cloud APIs andauthorize access to resources.

To use service accounts for authentication, you must first ensure that your VMis configured to use a service account. To do this complete one of the followingprocedures:

Before you begin

Overview

After you have set up a VM instance to run using a service account, an applicationrunning on the VM instance can use one of the following methods for authentication:

Authenticating applications using service account credentials

After setting up an instance to run as a service account, you can useservice account credentials to authenticate applications running on the instance.

Authenticating applications with a client library

Client libraries can useApplication Default Credentialsto authenticate with Google APIs and send requests to those APIs.Application Default Credentials lets applications automatically obtaincredentials from multiple sources so you can test your application locally andthen deploy it to a Compute Engine instance without changing theapplication code.

For information about setting up Application Default Credentials, seeProvide credentials to Application Default Credentials.

This example uses thePython client libraryto authenticate and make a request to the Cloud Storage API to list the buckets ina project. The example uses the following procedure:

  1. Obtain the necessary authentication credentials for the Cloud Storage APIand initialize the Cloud Storage service with thebuild() methodand the credentials.
  2. List buckets in Cloud Storage.

You can run this sample on an instance that has access to manage buckets inCloud Storage.

Note: You might need to run this script withsudo.
importargparsefromtypingimportListfromgoogle.cloudimportstoragedefcreate_client()->storage.Client:"""    Construct a client object for the Storage API using the    application default credentials.    Returns:        Storage API client object.    """# Construct the service object for interacting with the Cloud Storage API -# the 'storage' service, at version 'v1'.# Authentication is provided by application default credentials.# When running locally, these are available after running# `gcloud auth application-default login`. When running on Compute# Engine, these are available from the environment.returnstorage.Client()deflist_buckets(client:storage.Client,project_id:str)->List[storage.Bucket]:"""    Retrieve bucket list of a project using provided client object.    Args:        client: Storage API client object.        project_id: name of the project to list buckets from.    Returns:        List of Buckets found in the project.    """buckets=client.list_buckets()returnlist(buckets)defmain(project_id:str)->None:client=create_client()buckets=list_buckets(client,project_id)print(buckets)if__name__=="__main__":parser=argparse.ArgumentParser(description=__doc__,formatter_class=argparse.RawDescriptionHelpFormatter)parser.add_argument("project_id",help="Your Google Cloud Project ID.")args=parser.parse_args()main(args.project_id)

Authenticating applications directly with access tokens

For most applications, you can authenticate by usingApplication Default Credentials,which finds credentials and manages tokens for you. However, if your applicationrequires you to provide an OAuth2 access token, Compute Engine lets youget an access token from its metadata server for use in your application.

There are several options for obtaining and using theseaccess tokens to authenticate your applications. For example, you can usecurl to create a simple request, or use a programming language like Pythonfor more flexibility.

cURL

To usecurl to request an access token and send a request to an API:

  1. On the instance where your application runs, query themetadata serverfor an access token by running the following command:

    $curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \-H "Metadata-Flavor: Google"

    The request returns a response similar to:

    {      "access_token":"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_QtAS08i85nHq39HE3C2LTrCARA",      "expires_in":3599,      "token_type":"Bearer" }

    For API requests you need to include theaccess_token value, not theentire response. If you have thejq command-line JSON processorinstalled you can use the following command to extract the access tokenvalue from the response:

    $ACCESS_TOKEN=`curl \"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \-H "Metadata-Flavor: Google" | jq -r '.access_token'`

  2. Copy the value of theaccess_token property from the response anduse it to send requests to the API. For example, the following requestprints a list of instances in your project from a certain zone:

    $curl https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances \-H "Authorization":"BearerACCESS_TOKEN"

    Replace the following:

    • PROJECT_ID: the project ID for thisrequest.
    • ZONE: the zone to list VMs from.
    • ACCESS_TOKEN: the access token value you got from the previous step.
    Note: You can use the access token only for scopes that you specifiedwhen you created the instance. For example, if the instance has beengranted only thehttps://www.googleapis.com/auth/storage-full scope forCloud Storage, then it can't use the access token to make a requestto BigQuery.

    For information about the parameters that you can set in your request,see theSystem parameters documentation.

Python

This example demonstrates how to request a token to access theCloud Storage API in a Python application. The example uses the followingprocedure:

  1. Request an access token from the metadata server.
  2. Extract the access token from the server response.
  3. Use the access token to make a request to Cloud Storage.
  4. If the request is successful, the script prints the response.
importargparseimportrequestsMETADATA_URL="http://metadata.google.internal/computeMetadata/v1/"METADATA_HEADERS={"Metadata-Flavor":"Google"}SERVICE_ACCOUNT="default"defget_access_token()->str:"""    Retrieves access token from the metadata server.    Returns:        The access token.    """url=f"{METADATA_URL}instance/service-accounts/{SERVICE_ACCOUNT}/token"# Request an access token from the metadata server.r=requests.get(url,headers=METADATA_HEADERS)r.raise_for_status()# Extract the access token from the response.access_token=r.json()["access_token"]returnaccess_tokendeflist_buckets(project_id:str,access_token:str)->dict:"""    Calls Storage API to retrieve a list of buckets.    Args:        project_id: name of the project to list buckets from.        access_token: access token to authenticate with.    Returns:        Response from the API.    """url="https://www.googleapis.com/storage/v1/b"params={"project":project_id}headers={"Authorization":f"Bearer{access_token}"}r=requests.get(url,params=params,headers=headers)r.raise_for_status()returnr.json()defmain(project_id:str)->None:"""    Retrieves access token from metadata server and uses it to list    buckets in a project.    Args:        project_id: name of the project to list buckets from.    """access_token=get_access_token()buckets=list_buckets(project_id,access_token)print(buckets)if__name__=="__main__":parser=argparse.ArgumentParser(description=__doc__,formatter_class=argparse.RawDescriptionHelpFormatter)parser.add_argument("project_id",help="Your Google Cloud project ID.")args=parser.parse_args()main(args.project_id)

Access tokens expire after a short period of time. The metadata server cachesaccess tokens until they have 5 minutes of remaining time before theyexpire. If tokens are unable to be cached, requests that exceed 50 queriesper second might be rate limited. Your applications must have a valid accesstoken for their API calls to succeed.

Authenticating tools on an instance using a service account

Some applications might use commands from the gcloud CLI, which isincluded by default in most Compute Engine images. Thegcloud CLI automatically recognizes an instance's service account andrelevant permissions granted to the service account. Specifically, if you grantthe correct roles to the service account, you can use the gcloud CLIfrom your instances without having to usegcloud auth login.

This service account recognition happens automatically and applies only to thegcloud CLI that is included with the instance. If you createnew tools or add custom tools, you must authorize your applicationusing a client library or byusing access tokens directly in your application.

To take advantage of automatic service account recognition,grant the appropriate IAM rolesto the service account andattach the service account to the instance.For example, if you grant a service account theroles/storage.objectAdminrole, the gcloud CLI can automatically manage and accessCloud Storage objects.

Likewise, if you enableroles/compute.instanceAdmin.v1 for the service account,thegcloud compute tool can automatically manage instances.

What's next

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how Compute Engine performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try Compute Engine free

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.