This article is my attempt to keep track of the various environment variables that affect tools, SDKs, and applications written for Google Cloud.


Environment variable defining default project.

If not set and the environment variable GOOGLE_APPLICATION_CREDENTIALS is set to the path of a valid service account JSON private key file the project ID is the project ID defined in the service account file if available (some older files do not contain project ID information).

When using external identities with Application Default Credentials, the roles/browser IAM role needs to be granted to the service account. The Cloud Resource Manager API should also be enabled on the project. This is needed since application default credentials will try to auto-discover the project ID from the current environment using the impersonated credential. Otherwise, the project ID will resolve to None. You can override the project detection by setting the GOOGLE_CLOUD_PROJECT environment variable.


Previously used environment variable defining the default project.

This environment variable is used instead of the current one in some
situations (such as Google App Engine).


The quota project id to be set on the credential. The value from the environment variable will override any quota project that is present in the credential detected by the ADC mechanism.

A quota project is a Google Cloud Project that will be used for billing and quota limits.

More information:


Same as GOOGLE_CLOUD_QUOTA_PROJECT, but used for C++.


Environment variable defining the location of Google application default credentials.


Environment variable defining the location of Google Cloud SDK’s config files.

Configurations are stored in your user config directory (typically ~/.config/gcloud on MacOS and Linux, or %APPDATA%\gcloud on Windows); you can find the location of your config directory by running:

gcloud info --format='value(config.paths.global_config_dir)'

The config directory can be changed by setting the environment variable CLOUDSDK_CONFIG. Also, note that the config directory must be write-enabled. However, if you’re using Cloud Shell, your gcloud CLI preferences are stored in a temporary tmp folder, set for your current Cloud Shell tab only, and do not persist across sessions.



Environment variable providing an alternate hostname or host:port to be used for GCE metadata requests.

This environment variable was originally named GCE_METADATA_ROOT. System will
check the new variable first; should there be no value present, the system falls back to the old variable.


Environment variable providing an alternate ip:port to be used for IP-only GCE metadata requests.

The default value is Normally the hostname is

This environment variable is useful for environments where is already used by other metadata servers, eg AWS, Azure, etc.

The default endpoint for the metadata server is


Environment variable controlling whether to use client certificate or not. The default value is false. Users have to explicitly set this value to true in order to use client certificate to establish a mutual TLS channel.


Part of Mutual Authentication Using Workload Credentials [link]


Part of Mutual Authentication Using Workload Credentials [link]

To use executable-sourced credentials, this environment variable must be set to 1.


Part of Mutual Authentication Using Workload Credentials [link]

The audience field from the credential configuration. Must always be present.


Part of Mutual Authentication Using Workload Credentials [link]

The subject token type. Must always be present.


Part of Mutual Authentication Using Workload Credentials [link]

The service account email. Only present when service account impersonation is used.


Part of Mutual Authentication Using Workload Credentials [link]

The output file location from the credential configuration. Only present when specified in the credential configuration.