claude-code icon indicating copy to clipboard operation
claude-code copied to clipboard
Published 1 week ago verified publisher icon anthropics

[BUG] Vertexai - Claude should use updated google credentials files when they change to support reauthentication

Open keithanz opened this issue 8 months ago • 1 comments

Environment

  • Platform (select one):
    • [ ] Anthropic API
    • [ ] AWS Bedrock
    • [x] Google Vertex AI
    • [ ] Other:
  • Claude CLI version: 0.2.64 (Claude Code)
  • Operating System: macos 15.3.2
  • Terminal: iTerm2

Bug Description

When running claude in an enterprise environment against claude hosted on vertexai one way to authenticate is to first run gcloud auth login --update-adc to get an auth token for the user, and then run claude with GOOGLE_APPLICATION_CREDENTIALS pointed to the application default credentials eg GOOGLE_APPLICATION_CREDENTIALS="$(echo ~)/.config/gcloud/application_default_credentials.json" claude This works well, until the credentials expire as a result of Session Length Restrictions. At that point claude logs API Error: {"error":"invalid_grant","error_description":"reauth related error and fails

Steps to Reproduce

  1. gcloud auth login --update-adc
  2. Start claude with GOOGLE_APPLICATION_CREDENTIALS="$(echo ~)/.config/gcloud/application_default_credentials.json" claude
  3. Verify claude works
  4. In a separate terminal run gcloud auth application-default revoke. This isnt exactly the same as a credential expiry, the error is API Error: 401 {"error":{"code":401,"message":"Request had invalid authentication but it simulates the problem well enough. Alternatively you would need to configure a Session Length Restrictions for your GCP environment, wait for this session length restriction to expire and then continue
  5. Go back to claude and test. Claude will fail
  6. Run gcloud auth login --update-adc to log back in
  7. Go back to claude and test. Claude will fail

Expected Behavior

After running gcloud auth login --update-adc in step 6 claude should load the new application default credentials and use those to authenticate to vertexai, and then step 7 should succeed

Actual Behavior

Step 7 fails, claude does not use the updated credentials file.

Additional Context

keithanz avatar Apr 07 '25 00:04 keithanz

Experiencing this today. I had to "Never require reauthentication" in my google admin settings to workaround, which is not ideal

aphexcx avatar May 24 '25 02:05 aphexcx

Found a fix - it seems that setting GOOGLE_APPLICATION_CREDENTIALS env variable means that the GCP auth library will cache the credentials and wont try to rediscover them when they expire. If you don't set GOOGLE_APPLICATION_CREDENTIALS and instead allow the gcp auth library to discover the app default credentials automatically it will reload the credentials once they expire. You still need to run gcloud auth login --update-adc when the creds expire, but you can do that in a separate terminal and don't need to exit claude

keithanz avatar May 26 '25 05:05 keithanz

This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.

github-actions[bot] avatar Aug 09 '25 14:08 github-actions[bot]