[google-vertex] provider rejects service_account ADC; only authorized_user accepted

[jared-rebel]

Feature Request

Please add service_account ADC support to the google-vertex provider, in addition to the existing authorized_user flow.

---

Problem Statement

The google-vertex provider's ADC layer silently rejects standard GCP service-account JSON key files. In dist/vertex-adc-CXnQBcxJ.js (source: extensions/google/vertex-adc.ts), the credential-reader bails out immediately if the credentials file is not authorized_user:

// extensions/google/vertex-adc.ts (line ~38 in dist)
if (record.type !== "authorized_user") return;

hasGoogleVertexAuthorizedUserAdcSync also hard-codes the same check:

parsed.type === "authorized_user"

So if GOOGLE_APPLICATION_CREDENTIALS (or ~/.config/gcloud/application_default_credentials.json) points to a service-account JSON key, OpenClaw silently falls through to "no credentials" and the request fails.

---

Why This Matters

Google's ADC documentation defines two standard credential types that ADC consumers are expected to handle:

Type	Source
authorized_user	gcloud auth application-default login
service_account	Downloaded SA JSON key, set via GOOGLE_APPLICATION_CREDENTIALS

For headless/server-side deployments (VMs, containers, systemd services like OpenClaw), service-account JSON is the standard GCP practice. authorized_user requires an interactive browser flow and binds auth to a human's Google session — it's unsuitable for:

• Credential durability (user sessions expire)
• Service-account isolation (least-privilege per workload)
• CI/CD and server environments

---

Repro

1. Create a GCP service account with roles/aiplatform.user
2. Download the SA JSON key and set GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
3. Configure OpenClaw with google-vertex provider (ADC path)
4. Attempt any google-vertex model call
5. Observed: Call fails — OpenClaw does not pick up SA credentials; falls through to "No API key found" or similar
6. Verified independently: Direct curl with gcloud auth application-default print-access-token (which does support SA JSON) returns valid responses against us-central1-aiplatform.googleapis.com Vertex endpoints for gemini-2.5-flash and gemini-2.5-pro

We provisioned vertex-ai-runtime@alberto-openclaw.iam.gserviceaccount.com with roles/aiplatform.user and confirmed SA key auth works end-to-end via curl — just can't plug it into OpenClaw.

---

Expected Behavior

The provider should accept both ADC credential types, mirroring standard Google ADC semantics:

• type === "authorized_user" → existing refresh-token OAuth flow (unchanged)
• type === "service_account" → use google-auth-library's GoogleAuth (or equivalent) with keyFile and scopes ["https://www.googleapis.com/auth/cloud-platform"] to mint an access token, then attach it as Authorization: Bearer <token>

---

Proposed Fix Sketch

In extensions/google/vertex-adc.ts, add a parallel service_account path:

// After reading the credentials file:
if (record.type === "service_account") {
  // Use google-auth-library (already a transitive dep via @google/genai)
  const { GoogleAuth } = await import("google-auth-library");
  const auth = new GoogleAuth({
    keyFile: credentialsPath,
    scopes: ["https://www.googleapis.com/auth/cloud-platform"],
  });
  const client = await auth.getClient();
  const tokenResponse = await client.getAccessToken();
  return { token: tokenResponse.token!, expiresAtMs: Date.now() + 3600_000 };
}

The rest of the Vertex transport request-signing logic (constructing the Vertex AI endpoint URL, attaching Authorization: Bearer) should not need to change — only the credential-resolution step.

Note: google-auth-library is already a transitive dependency of @google/genai so no new package dependency is needed.

---

Additional Notes

• gemini-3.1-pro-preview 404: Vertex AI returns 404 for gemini-3.1-pro-preview — this model is not in the Vertex catalog. This affects users on Vertex who want stable Gemini models; gemini-2.5-flash and gemini-2.5-pro work fine.
• Current workaround: We're keeping the AI Studio API-key path active for our Gemini usage while we wait for service-account support on the Vertex path.
• Related issues: Google provider: implement proper Vertex AI OAuth and endpoint routing #60736 (Vertex endpoint routing), google-vertex provider broken on Node 25+ and ADC credential handling #71853 (authorized_user ADC marker leak — now fixed on main)

---

Environment

• OpenClaw version: 2026.5.x (installed via npm global, Linux x64)
• GCP project: server-side Linux deployment
• Auth target: us-central1-aiplatform.googleapis.com
• Models tested: gemini-2.5-flash, gemini-2.5-pro

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as duplicate/superseded: current main still rejects service_account ADC for Google Vertex, but the same remaining Vertex ADC work is already tracked by #60736 and the open implementation at #60860 already includes service_account handling.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Review details

Best possible solution:

Keep the service_account acceptance criterion on the canonical Google Vertex PR or its successor, then close the broader Vertex tracking issue after the merged implementation covers both ADC credential types with tests.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows a service_account ADC file can match the setup evidence path, but the current runtime reader and native transport gate both require type === "authorized_user", so service_account falls through before Vertex bearer auth runs.

Is this the best way to solve the issue?

Yes for cleanup. Consolidating this into #60860 is narrower for maintainers than tracking a parallel issue, because that open PR already changes the same Google Vertex ADC files and includes service_account coverage.

Security review:

Security review: No patch is under review for this issue; the eventual Google Vertex auth PR still needs normal credential-handling review before merge.

What I checked:

• current-main-authorized-user-only-reader: The Google Vertex ADC reader returns undefined unless the parsed credentials file has type authorized_user, so a service_account JSON is rejected before token resolution. (extensions/google/vertex-adc.ts:77, 9bf5f52a1924)
• current-main-authorized-user-only-gate: The provider only selects the native Google Vertex transport when hasGoogleVertexAuthorizedUserAdcSync() is true, and that sync check also requires type authorized_user. (extensions/google/provider-registration.ts:60, 9bf5f52a1924)
• adc-evidence-contract: The Google plugin setup metadata accepts GOOGLE_APPLICATION_CREDENTIALS and gcloud ADC fallback paths as auth evidence for google-vertex without narrowing that metadata to authorized_user only. (extensions/google/openclaw.plugin.json:594, 9bf5f52a1924)
• current-test-gap: Current main has focused Google Vertex ADC transport tests for authorized_user credentials and APPDATA fallback, while a search found no service_account or GoogleAuth path in extensions/google. (extensions/google/transport-stream.test.ts:448, 9bf5f52a1924)
• canonical-open-pr-covers-service-account: The open Google Vertex PR closes the linked canonical issue and its diff adds service_account ADC handling, including an isAdcServiceAccount branch, a service_account token test, and an error that names authorized_user or service_account JSON. (extensions/google/vertex-adc.ts)
• authorized-user-fix-is-not-this-fix: The earlier authorized_user ADC fix added the current vertex-adc.ts path but did not add service_account support, so this review is closing against the broader open Vertex ADC work rather than treating current main as implemented. (extensions/google/vertex-adc.ts, 0b59964ec945)

Likely related people:

• steipete: GitHub commit metadata shows 0b59964 added the current Google Vertex authorized_user ADC helper and modified the provider registration, transport, tests, and changelog for that path. (role: introduced current related behavior / recent maintainer; confidence: high; commits: 0b59964ec945; files: extensions/google/vertex-adc.ts, extensions/google/provider-registration.ts, extensions/google/transport-stream.ts)
• PewterZz: Open PR feat(google): add Google Vertex AI provider with ADC auth and global endpoint routing #60860 closes the linked canonical Google Vertex issue and its diff already adds service_account ADC support in the Google plugin. (role: canonical implementation candidate author; confidence: high; commits: 9b8fb6309d0c, 20db9d940907, 2c7bd7545ef5; files: extensions/google/vertex-adc.ts, extensions/google/vertex-adc.test.ts, extensions/google/vertex-region.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9bf5f52a1924.