auth v0.18.0: "multiple credential options provided" when GOOGLE_APPLICATION_CREDENTIALS is set

[maximelb]

Client

All clients (monitoring, storage, bigtable, etc.)

Environment

• GKE with service account key file mounted as secret
• GOOGLE_APPLICATION_CREDENTIALS=/run/secrets/google/key.json
• $ go version: go1.24.9 linux/amd64

Code and Dependencies

package main

import (
	"context"
	monitoring "cloud.google.com/go/monitoring/apiv3/v2"
)

func main() {
	// Fails with: "dialing: multiple credential options provided"
	client, err := monitoring.NewMetricClient(context.Background())
	if err != nil {
		panic(err)
	}
	defer client.Close()
}

go.mod

module example

go 1.24.9

require (
	cloud.google.com/go/monitoring v1.24.3
)

// Indirect dep that causes the issue:
// cloud.google.com/go/auth v0.18.0

Expected behavior

Client initializes successfully when GOOGLE_APPLICATION_CREDENTIALS is set, as it did with cloud.google.com/go/auth v0.17.0.

Actual behavior

Client creation fails with:

dialing: multiple credential options provided

Error originates from google.golang.org/api/internal/settings.go validation.

Additional context

• Works with cloud.google.com/go/auth v0.17.0
• Breaks with cloud.google.com/go/auth v0.18.0 (released Dec 15, 2025)
• Affects all Google Cloud clients when GOOGLE_APPLICATION_CREDENTIALS is set
• The new auth library appears to detect credentials via both old (CredentialsFile) and new (AuthCredentialsFile) paths simultaneously, triggering validation that rejects multiple credential sources
• Workaround: replace cloud.google.com/go/auth => cloud.google.com/go/auth v0.17.0 (untenable for large codebases)

[maximelb]

Additional Root Cause Analysis

I traced the exact code path causing this issue:

Reproduction Scenario

This occurs when passing explicit credentials (e.g., option.WithCredentialsJSON()) to a client, regardless of whether GOOGLE_APPLICATION_CREDENTIALS is set.

Code Path

1. User code:

storage.NewClient(ctx, option.WithCredentialsJSON(serviceAccountJSON))

2. cloud.google.com/go/storage/storage.go:172-176:

c, err := internaloption.AuthCreds(ctx, opts)
if err == nil {
    creds = c
    opts = append(opts, option.WithAuthCredentials(creds))
}

3. google.golang.org/api/internal/creds.go:54-75 (AuthCreds function):

func AuthCreds(ctx context.Context, settings *DialSettings) (*auth.Credentials, error) {
    if settings.NoAuth {
        return nil, nil
    }
    if settings.AuthCredentials != nil {
        return settings.AuthCredentials, nil
    }
    // ... checks for InternalCredentials, Credentials, TokenSource ...

    // BUG: Does NOT check for AuthCredentialsJSON or AuthCredentialsFile here!
    // Falls through to detection even when user provided credentials via JSON option
    return detectDefaultFromDialSettings(settings)
}

4. detectDefaultFromDialSettings reads the user's JSON and returns credentials

5. Storage adds option.WithAuthCredentials(creds) to opts

6. Now the options contain BOTH:

• AuthCredentialsJSON (from user's WithCredentialsJSON)
• AuthCredentials (added by storage client)

7. Validation fails at google.golang.org/api/internal/settings.go:200:

if nCreds > 1 && !(nCreds == 2 && ds.TokenSource != nil && ds.CredentialsFile != "") {
    return errors.New("multiple credential options provided")
}

The Fix

AuthCreds() should check for AuthCredentialsJSON and AuthCredentialsFile BEFORE falling through to detectDefaultFromDialSettings, similar to how it already checks for AuthCredentials:

func AuthCreds(ctx context.Context, settings *DialSettings) (*auth.Credentials, error) {
    if settings.NoAuth {
        return nil, nil
    }
    if settings.AuthCredentials != nil {
        return settings.AuthCredentials, nil
    }
    // ADD THESE CHECKS:
    if len(settings.AuthCredentialsJSON) > 0 {
        return nil, nil  // Let the transport handle it later
    }
    if settings.AuthCredentialsFile != "" {
        return nil, nil  // Let the transport handle it later
    }
    // ... rest of function
}

Or alternatively, the client libraries (storage, bigquery, etc.) should not add WithAuthCredentials when the user already provided any form of credentials.

[fixload]

The same error also occurs when using the new API option.WithAuthCredentialsJSON(credType CredentialsType, json []byte) ClientOption as:
storage.NewClient(ctx, option.WithAuthCredentialsJSON(option.ServiceAccount, json))

[namkazt]

In my side it actually caused by google.golang.org/api@v0.258.0. rollback to v0.257.0 fĩxed it.

[shollyman]

We've been looking at this pretty deeply, and believe we understand the failure mode for the storage package. If you have more detailed reproduction steps for clients/modules other than cloud.google.com/go/storage we would definitely love to hear more details.

Our proposed fix is related to an error in validating the provided options, rather than changes to how storage derives authentication information via the AuthCreds() function usage.

Just to set expectations, due to the holidays we're unlikely to release the fix here until after the new year. As other reporters have noted, pinning the google.golang.org/api module to the previous release v0.257.0 should avoid this issue.