How to get application_default_credentials using service account?

Question

I have a maven plugin which uses application_default_credentials.json file to authenticate against google cloud services.

I am trying to figure out to get default credential using service account instead of using my account.

I tried setting GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of service account's credential file. But, the plugin does not use this environment variable.

I know, it might be a problem with the plugin. But, I am wondering is there any way to set application-default-credentials.json using google service account.

format of application-default-credentials.json:

{
  "client_id": "76....408.apps.googleusercontent.com",
  "client_secret": "d-....D0Ty",
  "refresh_token": "1/r............................emnY02",
  "type": "authorized_user"
}

Service account's key format:

{
  "type": "service_account",
  "project_id": "ID",
  "private_key_id": "9a4.................................bbaad80",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMI................................e\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "10..................886",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/name%40project.iam.gserviceaccount.com"
}

Answer 1

I know, it might be a problem with the plugin. But, I am wondering is there any way to set application-default-credentials.json using google service account.

The answer is no. See below for details.

What you are calling application default credentials is actually OAuth Client Secrets. These credentials are used to authenticate (login) by a human to Google Accounts to generate OAuth tokens. You cannot use this type of credential file with GOOGLE_APPLICATION_CREDENTIALS.

Application Default Credentials (ADC) is not a credential, but a strategy to locate credentials.

A Service Account JSON file is used by a computer/machine to authenticate with Google Accounts and generate an OAuth Access Token (and optionally an OIDC Client ID token).

The two types of authentication result in similar types of tokens but cannot be interchanged without using different types of code and integration with the Google authentication systems.

The key point is that one requires a human to interact with Google, the other interacts silently with Google.