Skip to content
This repository was archived by the owner on Mar 9, 2026. It is now read-only.
This repository was archived by the owner on Mar 9, 2026. It is now read-only.

Default credentials fail to detect running on GCP when ADC env var is empty #983

Closed
googleapis/google-auth-library-python
#1374
Closed
Default credentials fail to detect running on GCP when ADC env var is empty#983
googleapis/google-auth-library-python
#1374
Assignees
liuyunnnn
Labels
api: pubsubIssues related to the googleapis/python-pubsub API.
@mbrancato

Description

@mbrancato
mbrancato
opened on Aug 19, 2023

In the final layer of a container, it is pretty common to clear out env vars by setting them to empty. When GOOGLE_APPLICATION_CREDENTIALS exists but is empty (e.g. after pulling packages from Google Artifact Registry), the default credentials for the pubsub transport fails to use the assigned service account / metadata server.

Environment details

  • OS type and version: Linux 5.10.176+
  • Python version: Python 3.11.2
  • pip version: pip 23.0.1 from /usr/lib/python3/dist-packages/pip (python 3.11)
  • google-cloud-pubsub version: 2.18.3

Steps to reproduce

  1. Set the application creds env var to an empty value
  2. Attempt to create a publisher client while on GCP / GKE with a service account assigned

Code example

import asyncio
from google.pubsub_v1.services.publisher.async_client import PublisherAsyncClient
async def setup():
  publisher_client = PublisherAsyncClient(transport="grpc_asyncio")
  return publisher_client

loop = asyncio.new_event_loop()
loop.run_until_complete(setup())

Stack trace

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "<stdin>", line 2, in setup
  File "/usr/local/lib/python3.11/dist-packages/google/pubsub_v1/services/publisher/async_client.py", line 215, in __init__
    self._client = PublisherClient(
                   ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/google/pubsub_v1/services/publisher/client.py", line 492, in __init__
    self._transport = Transport(
                      ^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/google/pubsub_v1/services/publisher/transports/grpc_asyncio.py", line 198, in __init__
    super().__init__(
  File "/usr/local/lib/python3.11/dist-packages/google/pubsub_v1/services/publisher/transports/base.py", line 104, in __init__
    credentials, _ = google.auth.default(
                     ^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/google/auth/_default.py", line 659, in default
    credentials, project_id = checker()
                              ^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/google/auth/_default.py", line 652, in <lambda>
    lambda: _get_explicit_environ_credentials(quota_project_id=quota_project_id),
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/google/auth/_default.py", line 272, in _get_explicit_environ_credentials
    credentials, project_id = load_credentials_from_file(
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/google/auth/_default.py", line 116, in load_credentials_from_file
    raise exceptions.DefaultCredentialsError(
google.auth.exceptions.DefaultCredentialsError: File  was not found.

Metadata

Metadata

Assignees

Labels

api: pubsubIssues related to the googleapis/python-pubsub API.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions