GOOGLE_APPLICATION_CREDENTIALS

Sensitive

The file path to a Google Cloud service account key JSON file. Used by Google Cloud client libraries for authentication via Application Default Credentials (ADC). This is the most common way to authenticate server-to-server communication with GCP services.

Last updated: 2026-06-05

GOOGLE_APPLICATION_CREDENTIALS holds a filesystem path (not the JSON itself) to a credentials file that Google's client libraries load via Application Default Credentials (ADC). It is first in the ADC lookup order, so setting it overrides gcloud user credentials and any attached service account. The modern guidance from Google is to avoid downloaded service-account key files entirely — they are long-lived secrets that leak — and instead use Workload Identity Federation or attached service accounts, where ADC finds credentials automatically and GOOGLE_APPLICATION_CREDENTIALS is left unset.

Provider: Google Cloud
Category: authentication
Set by: Set manually to the path of a downloaded service account key JSON file
Example: /path/to/service-account-key.json

Security: A downloaded service-account key JSON is a non-expiring credential — anyone with the file can impersonate that service account until the key is revoked. Never commit it, never bake it into an image layer, and never log its contents. Prefer keyless auth (Workload Identity Federation, attached service accounts, `gcloud auth application-default login` for local dev). If you must use a key file, store it in a secret manager, mount it at runtime, and rotate it; the value of this variable is a path, so make sure that path is on a private, non-versioned volume.

Gotcha: On GCP compute (Cloud Run, GKE, GCE, Cloud Functions) you usually should NOT set this — ADC automatically uses the attached service account via the metadata server. Setting GOOGLE_APPLICATION_CREDENTIALS there overrides that safer identity with a static key, and a path that does not exist in the container produces 'Could not load the default credentials' at the first API call rather than at startup.

How to set GOOGLE_APPLICATION_CREDENTIALS

bash (local dev with a key file)

export GOOGLE_APPLICATION_CREDENTIALS=/secrets/sa-key.json
gcloud auth application-default print-access-token

preferred local dev: no key file

gcloud auth application-default login
# ADC is written to ~/.config/gcloud; leave the env var unset

docker-compose (mount the key, set the path)

services:
  app:
    environment:
      GOOGLE_APPLICATION_CREDENTIALS: /secrets/sa-key.json
    volumes:
      - ./sa-key.json:/secrets/sa-key.json:ro

References

Application Default Credentials

Frequently Asked Questions

Do I need GOOGLE_APPLICATION_CREDENTIALS on Cloud Run or GKE?

No. On GCP compute, Application Default Credentials automatically uses the attached service account through the metadata server, so leave it unset. Set it only when running outside GCP (or locally) and even then prefer Workload Identity Federation over a downloaded key file.

Can it hold the JSON content instead of a file path?

No — GOOGLE_APPLICATION_CREDENTIALS must be a path to a file on disk. If you only have the JSON as a string (e.g. a CI secret), write it to a temp file first and point the variable at that file, or use the library-specific 'credentials from JSON string' API instead.

Was this helpful?

Stay up to date

Get notified about new guides, tools, and cheatsheets.

Browse all 242 environment variables →