[Bug]: gateway install --force drops GOOGLE_APPLICATION_CREDENTIALS — google-vertex auth fails after service reinstall

[ordiy]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

When openclaw doctor (or openclaw gateway install --force) regenerates the systemd service file, it does not include GOOGLE_APPLICATION_CREDENTIALS in the Environment= entries, even if this variable is defined in the env block of openclaw.json.

As a result, the gateway process cannot authenticate with the google-vertex provider via Application Default Credentials (ADC), and all agent calls fail immediately after the service is reinstalled.

Steps to reproduce

1. Configure openclaw.json with env.GOOGLE_APPLICATION_CREDENTIALS pointing to a GCP service account JSON file
2. Set agents.defaults.model to google-vertex/gemini-3-flash-preview (or similar)
3. Run openclaw doctor and accept the prompt to update gateway service config
4. Restart the gateway via systemd
5. Observe all agent requests fail with auth error

Expected behavior

All variables in openclaw.json's env block (or at least GOOGLE_APPLICATION_CREDENTIALS) should be forwarded to the systemd service Environment= entries, consistent with how GOOGLE_CLOUD_PROJECT and GOOGLE_CLOUD_LOCATION are already included.

Actual behavior

Error in journalctl --user -u openclaw-gateway:

Error: No API key found for provider "google-vertex".
Auth store: /home/openclaw/.openclaw/agents/main/agent/auth-profiles.json

The generated ~/.config/systemd/user/openclaw-gateway.service includes:

Environment=GOOGLE_CLOUD_PROJECT=myproject
Environment=GOOGLE_CLOUD_LOCATION=global

But is missing:

Environment=GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json

Workaround

Option A — Add to ~/.openclaw/.env (survives gateway install --force):

echo 'GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json' >> ~/.openclaw/.env

Option B — Manually add to the systemd service file, then daemon-reload:

Environment=GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json

systemctl --user daemon-reload && systemctl --user restart openclaw-gateway

OpenClaw version

2026.4.8

Operating system

Ubuntu 24.04 (x64) — VPS / systemd user service

Install method

npm global

Model

google-vertex/gemini-3-flash-preview

Provider / routing chain

openclaw → google-vertex (Vertex AI via ADC / service account JSON)

Logs, screenshots, and evidence

Apr 10 11:33:33 node: Error: No API key found for provider "google-vertex".
  Auth store: /home/openclaw/.openclaw/agents/main/agent/auth-profiles.json (agentDir: ...)
Apr 10 11:33:33 node: [model-fallback] decision=candidate_failed reason=auth next=none
Apr 10 11:33:33 node: Embedded agent failed before reply: No API key found for provider "google-vertex".

Additional information

Related: #61847 (same class of issue — gateway install --force drops user-added Environment= entries; AWS case)

The env block in openclaw.json already forwards GOOGLE_CLOUD_PROJECT and GOOGLE_CLOUD_LOCATION to the systemd unit. GOOGLE_APPLICATION_CREDENTIALS should be treated consistently.

[Jah-yee]

Regression confirmed - env vars not fully forwarded to systemd.

The env block in openclaw.json selectively forwards vars, missing GOOGLE_APPLICATION_CREDENTIALS.

Fix

Add GOOGLE_APPLICATION_CREDENTIALS to the forwarded environment variables in the gateway install logic.

Current forwarded: GOOGLE_CLOUD_PROJECT, GOOGLE_CLOUD_LOCATION
Need to add: GOOGLE_APPLICATION_CREDENTIALS (and similar vars per #61847)

This is a simple config addition in the install script.

Good catch!
RoomWithOutRoof

[steipete]

Closing this as implemented after Codex review.

Current main already routes gateway-install service env through a generic durable env collector that includes safe config.env entries, so GOOGLE_APPLICATION_CREDENTIALS is no longer omitted from managed gateway service installs. The latest available release tag in this checkout, v2026.4.23, already contains the same logic and matching tests.

What I checked:

• Gateway install plan merges durable config env into service environment: buildGatewayInstallEnvironment spreads collectDurableServiceEnvVars({ env, config }) into the managed environment before installing the service, so service env is no longer limited to a small hardcoded cloud allowlist. (src/commands/daemon-install-helpers.ts:215, 11804a484ded)
• Config env collector accepts generic safe env keys: collectConfigServiceEnvVars reads both env.vars and top-level env.* string entries, skipping only dangerous startup/override vars. There is no provider-specific filtering that would exclude GOOGLE_APPLICATION_CREDENTIALS. (src/config/config-env-vars.ts:13, 11804a484ded)
• Durable service env precedence includes config env: collectDurableServiceEnvVars merges state-dir .env and config service env vars, with config env taking precedence for managed service installs. (src/config/state-dir-dotenv.ts:57, 11804a484ded)
• Gateway install passes environment into systemd unit rendering: runDaemonInstall passes the planned environment into service.install, and writeSystemdUnit renders those entries into the systemd unit via buildSystemdUnit({ environment, environmentFiles }). (src/cli/daemon-cli/install.ts:157, 11804a484ded)
• Systemd writer persists inline env plus .env-backed EnvironmentFile entries: Linux installs split matching state-dir .env values into an EnvironmentFile and keep the remaining managed env vars inline in the unit, which is the exact path relevant to gateway install --force rewriting the service. (src/daemon/systemd.ts:455, 11804a484ded)
• Regression coverage exists in tests: Tests assert that gateway install merges safe config env into the service environment and that config service env overrides state-dir .env values. (src/commands/daemon-install-helpers.test.ts:169, 11804a484ded)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 11804a484ded; fix evidence: commit a9797214338b.