This page describes how you can use client libraries to access Google APIs.
Client libraries make it easier to access Trusted Cloud by S3NS APIs
using a supported language. You can use Trusted Cloud by S3NS APIs directly by
making raw requests to the server, but client libraries provide simplifications
that significantly reduce the amount of code you need to write. This is
especially true for authentication, because the client libraries support
Application Default Credentials (ADC).
Use Application Default Credentials with client libraries
To use Application Default Credentials to authenticate your application, you
must first set up ADC for the
environment where your application is running. When you use the client
library to create a client, the client library automatically checks for and
uses the credentials you have provided to ADC to authenticate to the APIs
your code uses. Your application does not need to explicitly authenticate
or manage tokens; these requirements are managed automatically by the
authentication libraries.
The following code samples create a client for the Cloud Storage service.
Your code is likely to need different clients; these samples are meant only to
show how you can create a client and use it without any code to explicitly
authenticate.
Before you can run the following samples, you must complete the following steps:
Set the GOOGLE_CLOUD_UNIVERSE_DOMAIN environment variable to
s3nsapis.fr.
Go
import("context""fmt""io""cloud.google.com/go/storage""google.golang.org/api/iterator")// authenticateImplicitWithAdc uses Application Default Credentials// to automatically find credentials and authenticate.funcauthenticateImplicitWithAdc(wio.Writer,projectIdstring)error{// projectId := "your_project_id"ctx:=context.Background()// NOTE: Replace the client created below with the client required for your application.// Note that the credentials are not specified when constructing the client.// The client library finds your credentials using ADC.client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("NewClient: %w",err)}deferclient.Close()it:=client.Buckets(ctx,projectId)for{bucketAttrs,err:=it.Next()iferr==iterator.Done{break}iferr!=nil{returnerr}fmt.Fprintf(w,"Bucket: %v\n",bucketAttrs.Name)}fmt.Fprintf(w,"Listed all storage buckets.\n")returnnil}
Java
importcom.google.api.gax.paging.Page;importcom.google.cloud.storage.Bucket;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importjava.io.IOException;publicclassAuthenticateImplicitWithAdc{publicstaticvoidmain(String[]args)throwsIOException{// TODO(Developer):// 1. Before running this sample,// set up Application Default Credentials as described in// https://cloud.google.com/docs/authentication/external/set-up-adc// 2. Replace the project variable below.// 3. Make sure you have the necessary permission to list storage buckets// "storage.buckets.list"StringprojectId="your-google-cloud-project-id";authenticateImplicitWithAdc(projectId);}// When interacting with Google Cloud Client libraries, the library can auto-detect the// credentials to use.publicstaticvoidauthenticateImplicitWithAdc(Stringproject)throwsIOException{// *NOTE*: Replace the client created below with the client required for your application.// Note that the credentials are not specified when constructing the client.// Hence, the client library will look for credentials using ADC.//// Initialize client that will be used to send requests. This client only needs to be created// once, and can be reused for multiple requests.Storagestorage=StorageOptions.newBuilder().setProjectId(project).build().getService();System.out.println("Buckets:");Page<Bucket>buckets=storage.list();for(Bucketbucket:buckets.iterateAll()){System.out.println(bucket.toString());}System.out.println("Listed all storage buckets.");}}
Node.js
/** * TODO(developer): * 1. Uncomment and replace these variables before running the sample. * 2. Set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc * 3. Make sure you have the necessary permission to list storage buckets "storage.buckets.list" * (https://cloud.google.com/storage/docs/access-control/iam-permissions#bucket_permissions) */// const projectId = 'YOUR_PROJECT_ID';const{Storage}=require('@google-cloud/storage');asyncfunctionauthenticateImplicitWithAdc(){// This snippet demonstrates how to list buckets.// NOTE: Replace the client created below with the client required for your application.// Note that the credentials are not specified when constructing the client.// The client library finds your credentials using ADC.conststorage=newStorage({projectId,});const[buckets]=awaitstorage.getBuckets();console.log('Buckets:');for(constbucketofbuckets){console.log(`- ${bucket.name}`);}console.log('Listed all storage buckets.');}authenticateImplicitWithAdc();
PHP
// Imports the Cloud Storage client library.use Google\Cloud\Storage\StorageClient;/** * Authenticate to a cloud client library using a service account implicitly. * * @param string $projectId The Google project ID. */function auth_cloud_implicit($projectId){ $config = [ 'projectId' => $projectId, ]; # If you don't specify credentials when constructing the client, the # client library will look for credentials in the environment. $storage = new StorageClient($config); # Make an authenticated API request (listing storage buckets) foreach ($storage->buckets() as $bucket) { printf('Bucket: %s' . PHP_EOL, $bucket->name()); }}
Python
fromgoogle.cloudimportstoragedefauthenticate_implicit_with_adc(project_id="your-google-cloud-project-id"):""" When interacting with Google Cloud Client libraries, the library can auto-detect the credentials to use. // TODO(Developer): // 1. Before running this sample, // set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc // 2. Replace the project variable. // 3. Make sure that the user account or service account that you are using // has the required permissions. For this sample, you must have "storage.buckets.list". Args: project_id: The project id of your Google Cloud project. """# This snippet demonstrates how to list buckets.# *NOTE*: Replace the client created below with the client required for your application.# Note that the credentials are not specified when constructing the client.# Hence, the client library will look for credentials using ADC.storage_client=storage.Client(project=project_id)buckets=storage_client.list_buckets()print("Buckets:")forbucketinbuckets:print(bucket.name)print("Listed all storage buckets.")
Ruby
defauthenticate_implicit_with_adcproject_id:# The ID of your Google Cloud project# project_id = "your-google-cloud-project-id"#### When interacting with Google Cloud Client libraries, the library can auto-detect the# credentials to use.# TODO(Developer):# 1. Before running this sample,# set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc# 2. Replace the project variable.# 3. Make sure that the user account or service account that you are using# has the required permissions. For this sample, you must have "storage.buckets.list".###require"google/cloud/storage"# This sample demonstrates how to list buckets.# *NOTE*: Replace the client created below with the client required for your application.# Note that the credentials are not specified when constructing the client.# Hence, the client library will look for credentials using ADC.storage=Google::Cloud::Storage.newproject_id:project_idbuckets=storage.bucketsputs"Buckets: "buckets.eachdo|bucket|putsbucket.nameendputs"Plaintext: Listed all storage buckets."end
Use API keys with client libraries
You can use an API keys only with client libraries for APIs that accept API
keys. In addition, the API key must not have an API restriction that prevents it
from being used for the API.
When you use API keys in your applications, ensure that they are kept secure
during both storage and transmission. Publicly exposing your API keys can
lead to unexpected charges on your account. For more information, see
Best practices for managing API keys.
Security requirements when using credential configurations from an external source
Typically, you generate credential configurations by using gcloud CLI
commands or by using the Trusted Cloud console. For example, you can use the
gcloud CLI to generate a local ADC file or a login configuration
file. Similarly, you can use the Trusted Cloud console to create and download
a service account key.
For some use cases, however, credential configurations are provided to you by an
external entity; these credential configurations are intended to be used to
authenticate to Google APIs.
Some types of credential configurations include endpoints and file paths, which
the authentication libraries use to acquire a token. When you accept credential
configurations from an external source, you must validate the configuration
before using it. If you don't validate the configuration, a malicious actor
could use the credential to compromise your systems and data.
Validate credential configurations from external sources
How you need to validate your external credentials depends on what types of
credential your application accepts.
Validate service account keys
If your application accepts only service account keys, use a credential
loader specific to service account keys, as shown in the following examples. The
type-specific credential loader parses only the fields present for service
account keys, which don't expose any vulnerabilities.
If you can't use a type-specific credential loader, validate the credential by
confirming that the value for the type field is service_account. If the
value for the type field is any other value, don't use the service account
key.
The following table lists the fields you need to validate, if they are present
in your credentials. Not all of these fields are present for all credential
configurations.
Field
Purpose
Expected value
service_account_impersonation_url
The authentication libraries use this field to access an endpoint to
generate an access token for the service account being impersonated.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-14 UTC."],[[["Client libraries simplify accessing Google Cloud APIs by handling tasks like authentication and reducing the amount of code needed, especially with Application Default Credentials (ADC)."],["To use ADC, you must set it up for your environment, which the client library will automatically utilize for authentication without needing explicit token management."],["API keys can be used with certain client libraries and APIs, but they need to be managed securely to prevent unauthorized access and unexpected charges."],["When accepting credential configurations from external sources, it is important to validate them thoroughly to prevent security compromises, particularly by confirming specific fields like the `type` and checking if `service_account` or other URL values are correct."],["Service account keys can be validated using credential loader specific to them, otherwise, the 'type' field should be verified to ensure it is set to `service_account`."]]],[]]
