How to determine authentication method while using Google Cloud Platform client libraries locally

Question

I'm currently able to run a local python script that calls the Google vision API using the python client library (specifically, I'm using the google-cloud-vision package). However, I'm curious about how it's authenticating. In the python script that I'm running locally I do not provide any authentication information. From reading the below posts, it seems that a common way to authenticate when running locally is to set an environment variable to the path of a .JSON key file (i.e export GOOGLE_APPLICATION_CREDENTIALS = path/to/JSON/key/file), however, I don't recall doing this and if I run printenv, I do not have an environment variable called GOOGLE_APPLICATION_CREDENTIALS.

The below posts provide great details about different ways to authenticate using the client libraries locally, but how can I see/determine exactly how my program is being authenticated? Is there a way to query for this?

"Authenticating to the Cloud Vision API"...including the "Application Default Credentials" part of the above page

"Authenticating Applications With a Client Library" section of Creating and Enabling Service Accounts for Instances

"Providing Credentials to Your Application" section of "Setting Up Authentication for Server to Server Production Capabilities" page

"Setting the Environment Variable" Section of "Getting Started With Authentication" page:

Python client libraries "Getting Started" page:

"Authenticating to a Cloud API Service"

Answer 1

There's 4 different ways for the request to be authenticated without creating a credentials object.

1. If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set to the path of a valid service account JSON private key file, then it is used.
2. If the Google Cloud SDK is installed and has application default credentials set then it is used. Note that if you've done this step once in the past, it will stay valid. (I'm guessing that this is what you're currently using to authenticate.)
3. If the application is running in the App Engine Standard environment then the credentials and project ID from the App Identity Service are used. (Not applicable here but I'm listing it for completeness' sake.)
4. If the application is running in Compute Engine or the App Engine flexible environment then the credentials and project ID are obtained from the Metadata Service. (Not applicable here but I'm listing it as well for completeness' sake.)

If no credentials are found using the methods above, DefaultCredentialsError will be raised. Since you're not getting this error, and you don't have the environment variable from #1 set, and options #3 & #4 are not applicable, the only option that remains is number #2.

The above information can be found on the readthedocs.io page for the google-cloud Authentication page, and more specifically in the google.auth package page

You can check if you have the application default credentials set up by running this command:

gcloud auth application-default print-access-token 

If this doesn't return an error but an access token, it means that #2 is set up. Don't share this token with anyone of course...

Some related information, you can check the token that was printed out with the command above here, or using the curl command below (paste the token at the end):

curl -i https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=

This doesn't exactly answer your question, but by process of elimination it should be the correct one...