GCP
UNAUTHENTICATED - Unauthenticated: Missing or Invalid Credentials
UNAUTHENTICATED means GCP can't validate your credentials—either your request has no auth credentials, your service account key is expired or revoked, or the GOOGLE_APPLICATION_CREDENTIALS environment variable isn't set. This client-side error happens before GCP even checks permissions. Most common in Compute Engine API calls, but also appears in Cloud SQL database connections, GKE cluster API access, and BigQuery query execution. OAuth tokens expire after about an hour, while service account keys don't expire by default unless revoked.
#Common Causes
- →Missing Credentials: No authentication credentials are provided in the request. Your application isn't configured with credentials, or the GOOGLE_APPLICATION_CREDENTIALS environment variable isn't set.
- →Expired OAuth Token: OAuth tokens expire after a set duration (typically 1 hour). Service account keys don't expire by default, but OAuth tokens from user authentication do. This is transient—refreshing credentials fixes it.
- →Invalid Service Account Key: The service account key file is corrupted, malformed, or doesn't match the service account. Key files must be valid JSON with correct structure.
- →Project ID Mismatch: The project ID in your request doesn't match the project associated with your credentials. Credentials are project-specific, and using the wrong project ID causes authentication to fail.
- →Revoked Service Account Key: The service account key was revoked in GCP (via Console or gcloud), but your application still uses the old key file.
✓Solutions
- 1Step 1: Diagnose - Check if credentials are configured: gcloud auth list
- 2Step 2: Diagnose - Check the GOOGLE_APPLICATION_CREDENTIALS environment variable: echo $GOOGLE_APPLICATION_CREDENTIALS
- 3Step 3: Fix - Set up authentication. For user credentials: gcloud auth application-default login For service account key: export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"
- 4Step 4: Fix - If the key is invalid or revoked, regenerate it: gcloud iam service-accounts keys create KEY_FILE.json --iam-account=SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com
- 5Step 5: Verify - Test authentication works: gcloud projects list
- 6Step 6: Fix - If project ID is wrong, set the correct project: gcloud config set project PROJECT_ID
</>Code Examples
Authentication Setup and Verification
1# This script helps diagnose and fix UNAUTHENTICATED errors
2
3# Step 1: Check current active credentials
4echo "Checking active credentials..."
5gcloud auth list
6
7# Step 2: Check GOOGLE_APPLICATION_CREDENTIALS environment variable
8echo "Checking GOOGLE_APPLICATION_CREDENTIALS..."
9echo "Current value: $GOOGLE_APPLICATION_CREDENTIALS"
10
11# Step 3: Set up application default credentials (for user authentication)
12# This prompts you to authenticate via browser
13echo "Setting up application default credentials..."
14gcloud auth application-default login
15
16# Alternative: Use service account key file
17# Replace /path/to/key.json with your service account key file path
18# export GOOGLE_APPLICATION_CREDENTIALS="/path/to/key.json"
19
20# Step 4: Verify authentication works by listing projects
21echo "Verifying authentication..."
22gcloud projects list
23
24# Step 5: Check current project configuration
25echo "Current project:"
26gcloud config get-value project
27
28# Step 6: If using service account and key is invalid, regenerate it
29# Replace SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com with your service account email
30# SERVICE_ACCOUNT="my-sa@my-project.iam.gserviceaccount.com"
31# gcloud iam service-accounts keys create new-key.json --iam-account=$SERVICE_ACCOUNT↗Related Errors
Provider Information
This error code is specific to GCP services. For more information, refer to the official GCP documentation.