Thanks for stopping by to let us know something could be better!

PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.

Is your feature request related to a problem? Please describe.

We use vault to hand out tokens for GCP access.

Newer versions of gcloud support setting the environment variable CLOUDSDK_AUTH_ACCESS_TOKEN to our temporary token (see https://cloud.google.com/sdk/docs/authorizing).

We do something similar with terraform via the GOOGLE_OAUTH_ACCESS_TOKEN environment variable. (see: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)

We'd like to be able to do something similar with our python applications without having to modify them to do anything other than call a single function to get credentials (google.auth.default()). That would allow us to run them locally with our own service account credentials or gcp users, within GCP services such as compute or appengine, and also in our CI jobs that use the tokens, without modification.

Describe alternatives you've considered

Currently we have to build our own credentials object via google.oauth2.credentials.Credentials. Here's a simplified example. The issue is we have to either put this logic in many of our apps, or build our own library to include in our apps:

from google.oauth2.credentials import Credentials
import google.auth


def auth():

    access_token = os.environ.get("GOOGLE_ACCESS_TOKEN")

    if access_token:
        creds = Credentials(os.environ.get("GOOGLE_ACCESS_TOKEN"))
    else:
        creds, _ = google.auth.default()

    return creds