public class ComputeCredential : ServiceCredential, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IHttpExecuteInterceptor, IBlobSigner
Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0
Authorization Server supports server-to-server interactions such as those between a web application and Google
Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an
end-user doesn't have to be involved.
The metadata server url. This can be overridden (for the purposes of Compute environment detection and
auth token retrieval) using the GCE_METADATA_HOST environment variable.
This value is cached, because for changing the default service account associated to a
Compute VM, the machine needs to be turned off. This means that the operation is only
asynchronous when calling for the first time.
Note that if, when fetching this value, an exception is thrown, the exception is cached and
will be rethrown by the task returned by any future call to this method.
You can create a new ComputeCredential instance if that happens so fetching
the service account default email is re-attempted.
public static Task<bool> IsRunningOnComputeEngine()
Detects if application is running on Google Compute Engine. This is achieved by attempting to contact
GCE metadata server, that is only available on GCE. The check is only performed the first time you
call this method, subsequent invocations used cached result of the first call.
The private key associated with the Compute service account is not known locally
by a ComputeCredential. Signing happens by executing a request to the IAM Credentials API
which increases latency and counts towards IAM Credentials API quotas. Aditionally, the first
time a ComputeCredential is used to sign data, a request to the metadata server is made to
to obtain the email of the default Compute service account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThe ComputeCredential class in the Google.Apis.Auth.OAuth2 namespace facilitates server-to-server interactions with Google Cloud services by utilizing OAuth 2.0 for authentication without the need for end-user involvement.\u003c/p\u003e\n"],["\u003cp\u003eIt inherits from ServiceCredential and implements multiple interfaces such as IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, and IBlobSigner, allowing for advanced functionalities like handling HTTP responses, providing OIDC tokens, and signing blobs.\u003c/p\u003e\n"],["\u003cp\u003eThe class can detect if an application is running on Google Compute Engine and provides methods like \u003ccode\u003eGetDefaultServiceAccountEmailAsync\u003c/code\u003e and \u003ccode\u003eGetOidcTokenAsync\u003c/code\u003e to retrieve the default service account email and an OIDC token, respectively.\u003c/p\u003e\n"],["\u003cp\u003eIt includes the ability to sign data using the private key associated with the Compute service account through the \u003ccode\u003eSignBlobAsync\u003c/code\u003e method, which communicates with the IAM Credentials API for signing operations.\u003c/p\u003e\n"],["\u003cp\u003eThe latest version available is 1.69.0, and prior versions dating back to 1.50.0 are listed in the content provided.\u003c/p\u003e\n"]]],[],null,["# Class ComputeCredential (1.69.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.69.0 (latest)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ComputeCredential)\n- [1.68.0](/dotnet/docs/reference/Google.Apis/1.68.0/Google.Apis.Auth.OAuth2.ComputeCredential)\n- [1.60.0](/dotnet/docs/reference/Google.Apis/1.60.0/Google.Apis.Auth.OAuth2.ComputeCredential)\n- [1.59.0](/dotnet/docs/reference/Google.Apis/1.59.0/Google.Apis.Auth.OAuth2.ComputeCredential)\n- [1.55.0](/dotnet/docs/reference/Google.Apis/1.55.0/Google.Apis.Auth.OAuth2.ComputeCredential)\n- [1.50.0](/dotnet/docs/reference/Google.Apis/1.50.0/Google.Apis.Auth.OAuth2.ComputeCredential) \n\n public class ComputeCredential : ServiceCredential, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IHttpExecuteInterceptor, IBlobSigner\n\nGoogle OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0\nAuthorization Server supports server-to-server interactions such as those between a web application and Google\nCloud Storage. The requesting application has to prove its own identity to gain access to an API, and an\nend-user doesn't have to be involved.\n\n\nMore details about Compute Engine authentication is available at:\n\u003chttps://cloud.google.com/compute/docs/authentication\u003e.\n\n\u003cbr /\u003e\n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e [ServiceCredential](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential) \\\u003e ComputeCredential \n\nImplements\n----------\n\n[IHttpUnsuccessfulResponseHandler](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Http.IHttpUnsuccessfulResponseHandler), [IOidcTokenProvider](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.IOidcTokenProvider), [ICredential](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ICredential), [IConfigurableHttpClientInitializer](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Http.IConfigurableHttpClientInitializer), [ITokenAccessWithHeaders](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ITokenAccessWithHeaders), [ITokenAccess](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ITokenAccess), [IHttpExecuteInterceptor](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Http.IHttpExecuteInterceptor), [IBlobSigner](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.IBlobSigner) \n\nInherited Members\n-----------------\n\n[ServiceCredential.Logger](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_Logger) \n[ServiceCredential.TokenServerUrl](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_TokenServerUrl) \n[ServiceCredential.Clock](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_Clock) \n[ServiceCredential.AccessMethod](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_AccessMethod) \n[ServiceCredential.HttpClient](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_HttpClient) \n[ServiceCredential.Scopes](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_Scopes) \n[ServiceCredential.Token](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_Token) \n[ServiceCredential.QuotaProject](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_QuotaProject) \n[ServiceCredential.BuildCreateHttpClientArgs()](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_BuildCreateHttpClientArgs) \n[ServiceCredential.Initialize(ConfigurableHttpClient)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_Initialize_Google_Apis_Http_ConfigurableHttpClient_) \n[ServiceCredential.InterceptAsync(HttpRequestMessage, CancellationToken)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_InterceptAsync_System_Net_Http_HttpRequestMessage_System_Threading_CancellationToken_) \n[ServiceCredential.HandleResponseAsync(HandleUnsuccessfulResponseArgs)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_HandleResponseAsync_Google_Apis_Http_HandleUnsuccessfulResponseArgs_) \n[ServiceCredential.GetAccessTokenForRequestAsync(string, CancellationToken)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_GetAccessTokenForRequestAsync_System_String_System_Threading_CancellationToken_) \n[ServiceCredential.GetAccessTokenWithHeadersForRequestAsync(string, CancellationToken)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_GetAccessTokenWithHeadersForRequestAsync_System_String_System_Threading_CancellationToken_) \n[object.Equals(object)](https://learn.microsoft.com/dotnet/api/system.object.equals#system-object-equals(system-object)) \n[object.Equals(object, object)](https://learn.microsoft.com/dotnet/api/system.object.equals#system-object-equals(system-object-system-object)) \n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.MemberwiseClone()](https://learn.microsoft.com/dotnet/api/system.object.memberwiseclone) \n[object.ReferenceEquals(object, object)](https://learn.microsoft.com/dotnet/api/system.object.referenceequals) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Apis.Auth.OAuth2](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2)\n\nAssembly\n--------\n\nGoogle.Apis.Auth.dll\n\nConstructors\n------------\n\n### ComputeCredential()\n\n public ComputeCredential()\n\nConstructs a new Compute credential instance.\n\n### ComputeCredential(Initializer)\n\n public ComputeCredential(ComputeCredential.Initializer initializer)\n\nConstructs a new Compute credential instance.\n\nFields\n------\n\n### MetadataServerUrl\n\n public const string MetadataServerUrl = \"http://169.254.169.254\"\n\nThe metadata server url. This can be overridden (for the purposes of Compute environment detection and\nauth token retrieval) using the GCE_METADATA_HOST environment variable.\n\nProperties\n----------\n\n### OidcTokenUrl\n\n public string OidcTokenUrl { get; }\n\nGets the OIDC Token URL.\n\nMethods\n-------\n\n### GetDefaultServiceAccountEmailAsync(CancellationToken)\n\n public Task\u003cstring\u003e GetDefaultServiceAccountEmailAsync(CancellationToken cancellationToken = default)\n\nReturns a task whose result, when completed, is the default service account email associated to\nthis Compute credential.\n\n**Remarks** \n\nThis value is cached, because for changing the default service account associated to a\nCompute VM, the machine needs to be turned off. This means that the operation is only\nasynchronous when calling for the first time.\n\n\nNote that if, when fetching this value, an exception is thrown, the exception is cached and\nwill be rethrown by the task returned by any future call to this method.\nYou can create a new [ComputeCredential](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ComputeCredential) instance if that happens so fetching\nthe service account default email is re-attempted.\n\n### GetOidcTokenAsync(OidcTokenOptions, CancellationToken)\n\n public Task\u003cOidcToken\u003e GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default)\n\nReturns an OIDC token for the given options.\n\n### IsRunningOnComputeEngine()\n\n public static Task\u003cbool\u003e IsRunningOnComputeEngine()\n\nDetects if application is running on Google Compute Engine. This is achieved by attempting to contact\nGCE metadata server, that is only available on GCE. The check is only performed the first time you\ncall this method, subsequent invocations used cached result of the first call.\n\n### RequestAccessTokenAsync(CancellationToken)\n\n public override Task\u003cbool\u003e RequestAccessTokenAsync(CancellationToken taskCancellationToken)\n\nRequests a new token.\n\n**Overrides** \n[ServiceCredential.RequestAccessTokenAsync(CancellationToken)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.OAuth2.ServiceCredential#Google_Apis_Auth_OAuth2_ServiceCredential_RequestAccessTokenAsync_System_Threading_CancellationToken_)\n\n### SignBlobAsync(byte\\[\\], CancellationToken)\n\n public Task\u003cstring\u003e SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default)\n\nSigns the provided blob using the private key associated with the service account\nthis ComputeCredential represents.\n\n**Remarks** \nThe private key associated with the Compute service account is not known locally\nby a ComputeCredential. Signing happens by executing a request to the IAM Credentials API\nwhich increases latency and counts towards IAM Credentials API quotas. Aditionally, the first\ntime a ComputeCredential is used to sign data, a request to the metadata server is made to\nto obtain the email of the default Compute service account.\n\nExtension Method\n----------------\n\n[Utilities.ThrowIfNull\\\u003cT\\\u003e(T, string)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Util.Utilities#Google_Apis_Util_Utilities_ThrowIfNull__1___0_System_String_)"]]
