GCP Application Default Credentials (ADC) resolution for Vertex AI.
Mirrors the order documented at https://cloud.google.com/docs/authentication/application-default-credentials and implemented by the official google-auth client libraries:
gcloud auth application-default login)Credentials files come in two flavours we support:
:service_account — has :private_key + :client_email; we RS256-
sign a JWT and exchange it at
oauth2.googleapis.com/token for an access
token (jwt-bearer grant).
:authorized_user — has :client_id, :client_secret, :refresh_token;
we POST a refresh_token grant to the same
endpoint. This is the format
gcloud auth application-default login writes.
External account (workload identity federation) is not yet supported — those credentials require an STS exchange that varies by source (AWS, Azure, OIDC). Throw a clear error if encountered.
Two convenience layers sit above the proper ADC chain:
These are documented escape hatches; they do not replace ADC.
When none of the layers yield a token, raises ex-info {:error/type :auth/missing-credentials :attempted [...]} naming every source the SDK tried, in order.
GCP Application Default Credentials (ADC) resolution for Vertex AI.
Mirrors the order documented at
https://cloud.google.com/docs/authentication/application-default-credentials
and implemented by the official google-auth client libraries:
1. GOOGLE_APPLICATION_CREDENTIALS env var → credentials file
2. Well-known file at
~/.config/gcloud/application_default_credentials.json
(set by `gcloud auth application-default login`)
3. GCE / Cloud Run / GKE metadata server (when running on GCP)
Credentials files come in two flavours we support:
:service_account — has :private_key + :client_email; we RS256-
sign a JWT and exchange it at
oauth2.googleapis.com/token for an access
token (jwt-bearer grant).
:authorized_user — has :client_id, :client_secret, :refresh_token;
we POST a refresh_token grant to the same
endpoint. This is the format
`gcloud auth application-default login` writes.
External account (workload identity federation) is not yet supported
— those credentials require an STS exchange that varies by source
(AWS, Azure, OIDC). Throw a clear error if encountered.
Two convenience layers sit *above* the proper ADC chain:
- request opts :vertex :access-token (caller override)
- GOOGLE_OAUTH_ACCESS_TOKEN env (pre-resolved bearer)
These are documented escape hatches; they do not replace ADC.
When none of the layers yield a token, raises ex-info
{:error/type :auth/missing-credentials :attempted [...]}
naming every source the SDK tried, in order.Indirection for testability. Default does a short-timeout GET to metadata.google.internal; returns the parsed JSON body on 200, nil otherwise. Bind in tests to stub.
Indirection for testability. Default does a short-timeout GET to metadata.google.internal; returns the parsed JSON body on 200, nil otherwise. Bind in tests to stub.
Indirection for testability — bind to drive cache expiry.
Indirection for testability — bind to drive cache expiry.
Indirection for testability. Default POSTs body-map to
oauth2.googleapis.com/token as application/x-www-form-urlencoded
and returns the parsed JSON body. Bind in tests to stub.
Indirection for testability. Default POSTs `body-map` to oauth2.googleapis.com/token as application/x-www-form-urlencoded and returns the parsed JSON body. Bind in tests to stub.
Default ADC well-known file path. Bound for testability.
Default ADC well-known file path. Bound for testability.
(clear-caches!)Wipe all in-memory caches. Tests call this between fixtures so leftover state from one test doesn't bleed into another.
Wipe all in-memory caches. Tests call this between fixtures so leftover state from one test doesn't bleed into another.
(resolve-access-token request profile)Resolve a GCP OAuth access token using the ADC chain. Returns the token string on success. Throws ex-info with :error/type :auth/missing-credentials when no source yields a token.
Failures within a step (broken SA JSON, unsupported credential type, refused refresh-token grant) surface their own ex-info directly — the chain only falls through when a step legitimately has no credentials to offer (no env var set, no file at that path, no metadata server reachable).
Resolve a GCP OAuth access token using the ADC chain. Returns the token string on success. Throws ex-info with :error/type :auth/missing-credentials when no source yields a token. Failures *within* a step (broken SA JSON, unsupported credential type, refused refresh-token grant) surface their own ex-info directly — the chain only falls through when a step legitimately has no credentials to offer (no env var set, no file at that path, no metadata server reachable).
(resolve-project request profile)Resolve the GCP project id. Returns nil when no source provides one — callers are responsible for raising a clear error in that case.
Resolve the GCP project id. Returns nil when no source provides one — callers are responsible for raising a clear error in that case.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |