background auth

GCP SDKs can usually magically detect when they're running in a supported environment and authenticate appropriately. How does that work?

Looking at Go: provides wrappers that create authenticated HTTP and gRPC clients. If no auth options are passed, this then goes to and its magic FindDefaultCredentials. Well not really magic, it does what it says in the documentation: check the env if it points to an auth file, check well known locations for auth files, and query the metadata server (literally ask if the ip/internal dns address is available).

All this results in an OAuth2 token/source which is used to either wrap an http transport (reuse token until it needs refresh, call source to get new token), or with configure the gRPC client WithPerRPCCredentials.