This article is my attempt to keep track of the various environment variables that affect tools, SDKs, and applications written for Google Cloud.
GOOGLE_CLOUD_PROJECT
Environment variable defining default project.
If not set and the environment variable GOOGLE_APPLICATION_CREDENTIALS is set to the path of a valid service account JSON private key file the project ID is the project ID defined in the service account file if available (some older files do not contain project ID information).
When using external identities with Application Default Credentials, the roles/browser
IAM role needs to be granted to the service account. The Cloud Resource Manager API should also be enabled on the project. This is needed since application default credentials will try to auto-discover the project ID from the current environment using the impersonated credential. Otherwise, the project ID will resolve to None. You can override the project detection by setting the GOOGLE_CLOUD_PROJECT environment variable.
GCLOUD_PROJECT
Previously used environment variable defining the default project.
This environment variable is used instead of the current one in some
situations (such as Google App Engine).
GOOGLE_CLOUD_QUOTA_PROJECT
The quota project id to be set on the credential. The value from the environment variable will override any quota project that is present in the credential detected by the ADC mechanism.
A quota project is a Google Cloud Project that will be used for billing and quota limits.
More information:
GOOGLE_CLOUD_CPP_USER_PROJECT
Same as GOOGLE_CLOUD_QUOTA_PROJECT, but used for C++.
GOOGLE_APPLICATION_CREDENTIALS
Environment variable defining the location of Google application default credentials.
CLOUDSDK_CONFIG
Environment variable defining the location of Google Cloud SDK’s config files.
Configurations are stored in your user config directory (typically ~/.config/gcloud on MacOS and Linux, or %APPDATA%\gcloud on Windows); you can find the location of your config directory by running:
gcloud info --format='value(config.paths.global_config_dir)'
The config directory can be changed by setting the environment variable CLOUDSDK_CONFIG. Also, note that the config directory must be write-enabled. However, if you’re using Cloud Shell, your gcloud CLI preferences are stored in a temporary tmp folder, set for your current Cloud Shell tab only, and do not persist across sessions.
GCE_METADATA_HOST
GCE_METADATA_ROOT
Environment variable providing an alternate hostname or host:port to be used for GCE metadata requests.
This environment variable was originally named GCE_METADATA_ROOT. System will
check the new variable first; should there be no value present, the system falls back to the old variable.
GCE_METADATA_IP
Environment variable providing an alternate ip:port to be used for IP-only GCE metadata requests.
The default value is 169.254.169.254. Normally the hostname metadata.google.internal is 169.254.169.254.
This environment variable is useful for environments where 169.254.169.254 is already used by other metadata servers, eg AWS, Azure, etc.
The default endpoint for the metadata server is http://metadata.google.internal/computeMetadata/v1
.
GOOGLE_API_USE_CLIENT_CERTIFICATE
Environment variable controlling whether to use client certificate or not. The default value is false. Users have to explicitly set this value to true in order to use client certificate to establish a mutual TLS channel.
GOOGLE_API_CERTIFICATE_CONFIG
Part of Mutual Authentication Using Workload Credentials [link]
GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES
Part of Mutual Authentication Using Workload Credentials [link]
To use executable-sourced credentials, this environment variable must be set to 1.
GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE
Part of Mutual Authentication Using Workload Credentials [link]
The audience field from the credential configuration. Must always be present.
GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE
Part of Mutual Authentication Using Workload Credentials [link]
The subject token type. Must always be present.
GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL
Part of Mutual Authentication Using Workload Credentials [link]
The service account email. Only present when service account impersonation is used.
GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE
Part of Mutual Authentication Using Workload Credentials [link]
The output file location from the credential configuration. Only present when specified in the credential configuration.
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
Leave a Reply