Provides Google Cloud OAuth2 access tokens for Vertex AI via ADC.
Token resolution order:
GOOGLE_ACCESS_TOKENenvironment variable — direct token; useful for CI and testing.- JSON credential file resolved from credentialFilePath, then
GOOGLE_APPLICATION_CREDENTIALS, then~/.config/gcloud/application_default_credentials.json. Supports bothauthorized_user(refresh-token flow) andservice_account(RS256 JWT assertion flow, no extra dependencies). - GCE / GKE metadata server — Workload Identity path for production deployments.
Tokens are cached until one minute before expiry to minimise round-trips.
== Config-boundary exemption ==
This class reads GOOGLE_ACCESS_TOKEN and GOOGLE_APPLICATION_CREDENTIALS directly (hence the scalafix:off NoSystemGetenv at the top of the file), rather than receiving them through org.llm4s.config.Llm4sConfig like other settings. This is deliberate: Application Default Credentials is a runtime discovery protocol whose inputs (a possibly-rotated access token, the ambient credentials path, and the GCE/GKE metadata server) must be resolved lazily at token-fetch time, not frozen into static config at startup. The reads are funnelled through the injectable envReader so the class stays fully testable without touching the real environment.
Value parameters
- credentialFilePath
-
Optional explicit path to a Google JSON credential file.
- envReader
-
Environment variable reader; injectable for testing.
- fileReader
-
File reader; injectable for testing.
- httpClient
-
HTTP client for token-endpoint calls.
Attributes
- Companion
- object
- Graph
-
- Supertypes
-
class Objecttrait Matchableclass Any