Every package uses a :class:`Client <gcloud.client.Client>`

as a base for interacting with an API.

For example:

Passing no arguments at all will "just work" if you've followed the

instructions in the :ref:`Overview`.

The credentials are inferred from your local environment by using

Google `Application Default Credentials`_.

.. _Precedence:

When loading the `Application Default Credentials`_,

the library will check properties of your local environment

in the following order:

Explicit Credentials

The Application Default Credentials discussed above can be useful

if your code needs to run in many different environments or

if you just don't want authentication to be a focus in your code.

However, you may want to be explicit because

* your code will only run in one place

* you may have code which needs to be run as a specific service account

every time (rather than with the locally inferred credentials)

* you may want to use two separate accounts to simultaneously access data

from different projects

In these situations, you can create an explicit

:class:`Credentials <oauth2client.client.Credentials>` object suited to your

environment.

After creation,

you can pass it directly to a :class:`Client <gcloud.client.Client>`:

.. code:: python

Google App Engine Environment

To create :class:`credentials <oauth2client.appengine.AppAssertionCredentials>`

just for Google App Engine:

.. code:: python

Google Compute Engine Environment

To create :class:`credentials <oauth2client.gce.AppAssertionCredentials>`

just for Google Compute Engine:

.. code:: python

Service Accounts

A `service account`_ can be used with both a JSON keyfile and

a PKCS12/P12 keyfile.

Directly creating ``credentials`` in `oauth2client`_ for a service

account is a rather complex process,

so as a convenience, the

factories are provided to create a :class:`Client <gcloud.client.Client>` with

service account credentials.

.. _oauth2client: http://oauth2client.readthedocs.org/en/latest/

For example, with a JSON keyfile:

Unless you have a specific reason to use a PKCS12/P12 key for your

service account,

we recommend using a JSON key.

User Accounts (3-legged OAuth 2.0) with a refresh token

The majority of cases are intended to authenticate machines or

workers rather than actual user accounts. However, it's also

possible to call Google Cloud APIs with a user account via

`OAuth 2.0`_.

.. tip::

A production application should **use a service account**,

but you may wish to use your own personal user account when first

getting started with the ``gcloud-python`` library.

The simplest way to use credentials from a user account is via

Application Default Credentials using ``gcloud auth login``

(as mentioned above):

.. code:: python

This will still follow the :ref:`precedence <Precedence>`

described above,

so be sure none of the other possible environments conflict

with your user provided credentials.

Advanced users of `oauth2client`_ can also use custom flows to

create credentials using `client secrets`_ or using a

`webserver flow`_.

After creation, :class:`Credentials <oauth2client.client.Credentials>`

can be serialized with

:meth:`to_json() <oauth2client.client.Credentials.to_json>`

and stored in a file and then and deserialized with

:meth:`from_json() <oauth2client.client.Credentials.from_json>`.

.. _client secrets: https://developers.google.com/api-client-library/python/guide/aaa_oauth#flow_from_clientsecrets

.. _webserver flow: https://developers.google.com/api-client-library/python/guide/aaa_oauth#OAuth2WebServerFlow