tessl/pypi-google-auth
Google Authentication Library providing comprehensive authentication mechanisms for Google APIs and services including OAuth 2.0, JWT, and service account credentials
—
Pending
adc.mddocs/
Application Default Credentials
Automatically detects and loads the most appropriate credentials for the current environment, following Google Cloud's standard credential discovery flow. This is the recommended approach for most applications as it works seamlessly across development, testing, and production environments.
Capabilities
Default Credential Discovery
Automatically discovers credentials using Google Cloud's standard Application Default Credentials (ADC) flow, checking sources in order: environment variable, user credentials, service account, Compute Engine metadata.
def default(
scopes=None,
request=None,
quota_project_id=None,
default_scopes=None
):
"""
Construct credentials from Application Default Credentials.
Args:
scopes (Sequence[str]): The list of scopes for the credentials. If specified,
the credentials will automatically be scoped if necessary.
request (google.auth.transport.Request): An object used to make HTTP requests.
This is used to determine the associated project ID for external account
credentials. If not specified, then it will use a default HTTP transport.
quota_project_id (str): The project ID used for quota and billing.
This project may be different from the project used to create the credentials.
default_scopes (Sequence[str]): Default scopes passed by a Google client library.
Use 'scopes' for user-defined scopes.
Returns:
Tuple[google.auth.credentials.Credentials, Optional[str]]: The constructed
credentials and the project ID. The project ID is the
quota_project_id if provided, or the default project ID if available.
Raises:
google.auth.exceptions.DefaultCredentialsError: If no credentials could
be found or if the credentials found are not valid.
"""Usage example:
import google.auth
# Basic usage - discover credentials automatically
credentials, project = google.auth.default()
# With specific scopes
credentials, project = google.auth.default(
scopes=['https://www.googleapis.com/auth/cloud-platform']
)
# With quota project
credentials, project = google.auth.default(
scopes=['https://www.googleapis.com/auth/bigquery'],
quota_project_id='my-billing-project'
)Loading from File
Loads credentials from a JSON credentials file, supporting service account keys, authorized user credentials, external account credentials, and impersonated service account credentials.
def load_credentials_from_file(
filename,
scopes=None,
default_scopes=None,
quota_project_id=None,
request=None
):
"""
Load Google credentials from a file.
The credentials file must be a service account key, stored authorized
user credentials, external account credentials, or impersonated service
account credentials.
Args:
filename (str): The full path to the credentials file.
scopes (Sequence[str]): The list of scopes for the credentials. If
specified, the credentials will automatically be scoped if necessary.
default_scopes (Sequence[str]): Default scopes passed by a Google client
library. Use 'scopes' for user-defined scopes.
quota_project_id (str): The project ID used for quota and billing.
request (google.auth.transport.Request): An object used to make HTTP
requests. This is used to determine the associated project ID for
external account credentials. If not specified, then it will use a
default HTTP transport.
Returns:
Tuple[google.auth.credentials.Credentials, Optional[str]]: Loaded
credentials and the project ID. Authorized user credentials do not
have the project ID information. External account credentials project
IDs may not always be determined.
Raises:
google.auth.exceptions.DefaultCredentialsError: if the file is in the
wrong format or is missing.
"""Usage example:
import google.auth
# Load from service account file
credentials, project = google.auth.load_credentials_from_file(
'/path/to/service-account.json',
scopes=['https://www.googleapis.com/auth/cloud-platform']
)
# Load from authorized user file
credentials, project = google.auth.load_credentials_from_file(
'/path/to/authorized-user.json'
)Loading from Dictionary
Loads credentials from a dictionary containing credential information, useful when credentials are stored in configuration systems or loaded from non-file sources.
def load_credentials_from_dict(
info,
scopes=None,
default_scopes=None,
quota_project_id=None,
request=None
):
"""
Load Google credentials from a dictionary.
The credentials dictionary must contain information for service account
credentials, authorized user credentials, external account credentials,
or impersonated service account credentials.
Args:
info (Mapping[str, str]): The credential information dictionary.
scopes (Sequence[str]): The list of scopes for the credentials. If
specified, the credentials will automatically be scoped if necessary.
default_scopes (Sequence[str]): Default scopes passed by a Google client
library. Use 'scopes' for user-defined scopes.
quota_project_id (str): The project ID used for quota and billing.
request (google.auth.transport.Request): An object used to make HTTP
requests. This is used to determine the associated project ID for
external account credentials. If not specified, then it will use a
default HTTP transport.
Returns:
Tuple[google.auth.credentials.Credentials, Optional[str]]: Loaded
credentials and the project ID. Authorized user credentials do not
have the project ID information. External account credentials project
IDs may not always be determined.
Raises:
google.auth.exceptions.DefaultCredentialsError: if the info is not in the
expected format.
"""Usage example:
import google.auth
import json
# Load from dictionary (e.g., from environment or config)
with open('/path/to/credentials.json') as f:
creds_info = json.load(f)
credentials, project = google.auth.load_credentials_from_dict(
creds_info,
scopes=['https://www.googleapis.com/auth/cloud-platform']
)Environment Variables
# Environment variables used by default credential discovery
GOOGLE_APPLICATION_CREDENTIALS: str # Path to service account JSON file
GOOGLE_CLOUD_PROJECT: str # Default project ID
GCLOUD_PROJECT: str # Alternative project ID variable
GOOGLE_CLOUD_QUOTA_PROJECT: str # Default quota project IDCredential Discovery Flow
The default() function follows this discovery order:
- GOOGLE_APPLICATION_CREDENTIALS environment variable - Points to service account JSON file
- gcloud user credentials - From
gcloud auth application-default login - gcloud service account - From
gcloud auth activate-service-account - Cloud SDK attached service account - When running on Google Cloud
- Compute Engine metadata service - When running on Compute Engine, App Engine, etc.
Error Handling
class DefaultCredentialsError(google.auth.exceptions.GoogleAuthError):
"""Raised when default credentials cannot be determined or loaded."""Common scenarios that raise DefaultCredentialsError:
- No credentials found in any discovery source
- Credentials file is malformed or missing
- Network issues accessing metadata service
- Invalid scopes for the credential type
Install with Tessl CLI
npx tessl i tessl/pypi-google-auth