Skip to main content

Authenticating the Google Gen AI SDK

· 5 min read
Christopher Brox
Christopher Brox
Building AI Agents @ Google

How to authenticate the Google Gen AI SDK.

Disclaimers:

  • At the time of this writing, I am employed by Google Cloud. However the thoughts expressed here are my own and do not represent my employer.
  • The code provided here is sample code for educational purposes only. Please write your own production code.

Introduction

The Google Gen AI Python SDK provides an interface for developers to integrate Google's generative models into their Python applications.

This guide will walk you through two common ways to authenticate: using your own user credentials for local development and using a service account for production environments. Let's get your environment set up so you can start building amazing things!

Installing the SDK

First things first, you need to install the library. If you have Python and pip set up, it's just one command in your terminal.

pip install google-genai

Easy, right? With the SDK installed, let's get it authenticated.

Authenticating with Default Credentials

When you're developing on your local machine, the easiest way to authenticate is with your own Google Cloud account. This method, called Application Default Credentials (ADC), lets the SDK automatically find and use the credentials you've configured in your environment. It's perfect for testing and prototyping.

The best way to set up ADC is by using the Google Cloud CLI (gcloud).

  1. Install the gcloud CLI: If you haven't already, install the gcloud CLI for your operating system.

  2. Log in: Run the following command in your terminal.

    gcloud auth application-default-login

This command will open a browser window, asking you to log in to your Google account and grant permissions to the CLI. Once you approve, your credentials will be stored locally where the SDK can find them.

That's it! Now, you can run your Python code without any explicit API keys or credential files. The SDK is smart enough to find the credentials provided by gcloud.

Here’s a simple script to test your setup. It initializes the client and lists the available Gemini models.


from google.genai import Client, types

client = Client(vertexai=True, project="<your-google-cloud-project-id>", location="global")

response = client.models.generate_content(
    model='gemini-2.5-flash-lite',
    contents="why is the sky blue"
)

print(response.text)

If this script runs successfully and prints a list of models, your local authentication is working perfectly! ✨

Authenticating with a service account

When you move from local development to a deployed application—especially one running outside of Google Cloud (like on AWS, Azure, or your own servers)—you can't rely on your personal user credentials. For these scenarios, a service account is the best practice. 🤖

A service account is a special type of Google account intended to represent a non-human user, like an application or a virtual machine. Your application can use this account to authenticate and make authorized API calls on its own, without needing a person to log in. This is the standard for production environments, automated CI/CD pipelines, and any unattended script.

To use a service account, you first create it in your Google Cloud project, grant it the necessary permissions, and then download a JSON key file. This file acts like a password for the service account, and your code will use it to authenticate.

How to Create a Service Account

Here’s how you can create a service account and get its key file through the Google Cloud Console.

  1. Navigate to IAM & Admin: In the Google Cloud Console, go to the IAM & Admin section and select Service Accounts.

  2. Create Service Account: Click the + CREATE SERVICE ACCOUNT button at the top.

  3. Fill in Details: Give your service account a name (e.g., gemini-sdk-app) and a description. A Service account ID will be generated for you. Click CREATE AND CONTINUE.

  4. Grant Permissions: You need to give the service account permission to access the Vertex AI API. In the "Grant this service account access to project" step, select the Vertex AI User role. This role provides the necessary permissions for your app to interact with generative models. Click CONTINUE, and then DONE.

  5. Create a Key: Now, find the service account you just created in the list. Click the three-dot menu (⋮) under Actions and select Manage keys.

  6. Download the JSON Key: Click ADD KEY > Create new key. Make sure the key type is set to JSON and click CREATE. A JSON file will be downloaded to your computer.

    ⚠️ Treat this file like a secret! Anyone who has this file can authenticate as your service account. Do not commit it to public source control. Store it securely and use a method like environment variables or a secret manager to load its path in your application.

Once you have the JSON file, you can use the code snippet below to authenticate. Just replace <location-to-your-service-account> with the actual path to your downloaded key file.

from google.genai import Client
from google.oauth2.service_account import Credentials

# The scope required for Vertex AI API
scopes = ['https://www.googleapis.com/auth/cloud-platform']

# Path to your downloaded service account JSON key file
SERVICE_ACCOUNT_FILE = '<location-to-your-service-account>'

creds = Credentials.from_service_account_file(
    filename=SERVICE_ACCOUNT_FILE,
    scopes=scopes
)

client = Client(vertexai=True, project='<your-google-cloud-project-id>', credentials=creds, location='global')

response = client.models.generate_content(
    model='gemini-2.5-flash',
    contents="why is the sky blue?"
)

print(response.text)