Google auth default credentials for GAE standard 2nd Gen (Python)

302 views
Skip to first unread message

Eric G

unread,
Sep 9, 2018, 11:46:55 AM9/9/18
to Google App Engine
It appears that the google-auth default credentials will not work for 2nd generation standard environments, at least not for Python at the moment, as it requires the app identity/user API.

Is there a plan for getting default app engine credentials to work in another way?  Or is the recommendation to set the GOOGLE_APPLICATION_CREDENTIALS env var to point to the service account file manually?

Thanks,
Eric

Katayoon (Cloud Platform Support)

unread,
Sep 13, 2018, 3:22:47 PM9/13/18
to Google App Engine
As noted in the documentation, You may use any HTTP-based authentication mechanism, such as Google Identity Platform or Firebase Authentication as the Users service is not available in Python 3.

Fili Wiese

unread,
Sep 13, 2018, 5:48:29 PM9/13/18
to Google App Engine
I filled an issue for this on Github as I ran into the same problem:

David (Google Cloud Support)

unread,
Sep 17, 2018, 3:43:43 PM9/17/18
to google-a...@googlegroups.com

Python 3.7 on App Engine standard provides the GCE metadata service, so as an alternative, you could use Compute Engine Credentials. I will inform our documentation team to update this document since it is outdated and it does not include App Engine Standard Second Generation as one of the platforms where you could use these credentials.

Eric G

unread,
Sep 18, 2018, 1:02:24 PM9/18/18
to Google App Engine
Thanks!  I think I will stick with using an explicit service account json file, but it's good to know this route works.

Stewart Reichling

unread,
Sep 25, 2018, 4:50:57 PM9/25/18
to Google App Engine
Hi Eric -- can you follow up with more details about your use case?

Eric G

unread,
Sep 27, 2018, 1:27:41 PM9/27/18
to Google App Engine
It was more a question because the documentation was unclear for 2nd generation standard GAE environments.  
I have no problem using an explicit credentials file - in fact I prefer that to the magic of default credentials, and using the GCE metadata service involves an extra network hop if I'm not mistaken.

Stewart Reichling

unread,
Sep 27, 2018, 1:34:30 PM9/27/18
to google-a...@googlegroups.com
Thanks for the feedback. It would be helpful to understand the use case because the "magic" default credentials *should* work.

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/e46520e4-b680-422b-baec-6b983145043b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

Stewart Reichling | Product Manager, Serverless | stew...@google.com | 650.906.3381
Reply all
Reply to author
Forward
0 new messages