A better authentication and default config implementation

[wietsevenema]

The current implementation relies exclusively on Application Default Credentials (ADC), which is not great for local development. Here’s what I think should happen.

Local development environment (including Cloud Shell)

• With gcloud CLI installed:
  • The tool should prioritize using the developer's logged-in user credentials (not ADC) from the gcloud CLI.
  • It uses the local gcloud configuration, such as the default project and region, to avoid manual configuration
  • This should fix Cloud Run MCP in Cloud Shell picks up a cloudshell-gca project #105
• Without gcloud CLI installed:
  • The authentication process should not fail.
  • It needs a clear fallback mechanism, allowing authentication via a service account key file, pointed to by the GOOGLE_APPLICATION_CREDENTIALS environment variable

Google Cloud environment (Cloud Run, GCE, GKE)

• When running on a Google Cloud compute resource, the application must automatically use the attached service identity through the metadata service for authentication. This is the default behavior for the client libraries.
• The application should automatically default to the project ID and region where the server is deployed, eliminating the need for explicit configuration in this environment.

[steren]

I agree with your proposal

But to recap, the only difference with today's behavior is that you suggest using user credentials when gcloud is installed, right?

Because:

• if GOOGLE_APPLICATION_CREDENTIALS is set, the client libraries already pick up credentials from it, independently from gcloud installed or not.
• in Google Cloud environment (Cloud Run, GCE, GKE), the client libraries already pick up credentials from metadata server.

[steren]

We should also be looking into re-using the credentials used by Gemini CLI, if possible.

This would make it so that when using the Cloud Run extension for Gemini CLI. no auth setup would be needed