Vertex AI Credential Stubs

Applies to

Any SDK or MCP server that reads Google Cloud Application Default Credentials (ADC):

SDK / Tool	Credential file
Anthropic Python SDK (Vertex)	`~/.config/gcloud/application_default_credentials.json`
`google-cloud-aiplatform`	`~/.config/gcloud/application_default_credentials.json`
Any `google-auth` based client	`~/.config/gcloud/application_default_credentials.json`

Create the stub

Create the directory if it doesn’t exist: mkdir -p ~/.config/gcloud

`~/.config/gcloud/application_default_credentials.json`

{
  "account": "onecli-managed",
  "client_id": "onecli-managed",
  "client_secret": "onecli-managed",
  "quota_project_id": "onecli-managed",
  "refresh_token": "onecli-managed",
  "type": "authorized_user",
  "universe_domain": "googleapis.com"
}

Rules

Never overwrite existing files that don’t contain onecli-managed values. The user likely has real gcloud credentials at this path.
All sentinel values use the string onecli-managed so they’re easy to detect programmatically.
type must be "authorized_user" for the SDK to attempt the OAuth refresh flow.

How it works

The SDK reads the stub and sees dummy credentials. When it tries to exchange the refresh token at oauth2.googleapis.com/token, the OneCLI gateway intercepts the request and returns a real access token from the Vertex AI app connection you registered. The SDK then uses that token for requests to {region}-aiplatform.googleapis.com. The gateway also injects the x-goog-user-project header for quota and billing.

Integrations

Configuration

Vertex AI Credential Stubs

Applies to

Create the stub

`~/.config/gcloud/application_default_credentials.json`

Rules

How it works

Integrations

Configuration

​Applies to

​Create the stub

​~/.config/gcloud/application_default_credentials.json

​Rules

​How it works

Applies to

Create the stub

`~/.config/gcloud/application_default_credentials.json`

Rules

How it works