惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
GRAHAM CLULEY
V
V2EX
WordPress大学
WordPress大学
博客园 - Franky
Last Week in AI
Last Week in AI
博客园 - 司徒正美
有赞技术团队
有赞技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 【当耐特】
V
Visual Studio Blog
C
CERT Recently Published Vulnerability Notes
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Jina AI
Jina AI
Attack and Defense Labs
Attack and Defense Labs
腾讯CDC
The Hacker News
The Hacker News
Hugging Face - Blog
Hugging Face - Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
J
Java Code Geeks
人人都是产品经理
人人都是产品经理
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
A
Arctic Wolf
量子位
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
雷峰网
雷峰网
博客园_首页
Google Online Security Blog
Google Online Security Blog
Spread Privacy
Spread Privacy
罗磊的独立博客
H
Hacker News: Front Page
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
TaoSecurity Blog
TaoSecurity Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 三生石上(FineUI控件)
宝玉的分享
宝玉的分享
IT之家
IT之家
The Cloudflare Blog
爱范儿
爱范儿
博客园 - 叶小钗
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
How to Use Your Google Cloud Credits for Gemini Again, via Vertex AI and ADC
Bravian · 2026-06-26 · via DEV Community

I've always pulled my Gemini API keys from AI Studio; like, I'm sure, most of you did. A few days ago I got a call from a client telling me the AI features in my app had stopped working. I logged in and confirmed it: something was wrong with my billing. So I checked my Google Cloud account to see whether the credits had run out, but there was still a big chunk left before I'd have to start paying. I created a fresh API key and tried to link it to that billing account, and it failed.

After some digging, the answer was blunt: that workflow is gone. You can no longer spend Google Cloud credits in AI Studio.

Google has split the billing worlds apart. The Gemini Developer API (the one you get keys for in AI Studio) now runs on its own billing track. The headline change that bit a lot of people: if you created your account after March 2, 2026, the $300 free "Welcome" credits can no longer be spent on Gemini API / AI Studio usage at all, and existing accounts like mine found the old credit link quietly severed too. They explicitly say those credits can still be used on other Google Cloud products in the Google Cloud console, and that's the crack in the wall we're going to walk through.

And "other Google Cloud products" includes Vertex AI, Google's managed platform for running the very same Gemini models. So the move is simple: stop using AI Studio keys and start calling Gemini through Vertex AI. Same models, different door, and that door still takes your Cloud credits.

There's one catch, and it's the thing this article is really about: Vertex AI doesn't want you using API keys. Instead it uses Application Default Credentials (ADC). The concept didn't quite make sense to me when I was doing this, so I decided to make this tutorial for the next person who might need it. Let me show you the whole thing: local dev, a real server, and Vercel.

Quick naming note: Vertex AI is in the middle of a rebrand toward "Gemini Enterprise / Agent Platform." You'll see both names in Google's own docs right now. It's the same platform, the Cloud-native home for Gemini.


What ADC actually is

Application Default Credentials is just a convention. Instead of pasting a secret key into your code, the Google client libraries go looking for credentials in a fixed list of places, in order:

  1. The GOOGLE_APPLICATION_CREDENTIALS environment variable (a path to a service-account JSON key).
  2. Credentials left behind by gcloud auth application-default login (your local user login).
  3. The credentials attached to the environment itself, e.g. the metadata server on Compute Engine, Cloud Run, GKE.

Your code never changes. The environment supplies the identity. That's the whole idea: the same app authenticates on your laptop, on a server, and in Cloud Run without a single line of credential code.


Step 0: One-time Google Cloud setup

You need a project with the Vertex AI API turned on and a billing account (with your credits) attached. If you can, keep the project outside an organization; projects under an org pull in extra IAM and policy setup that's just an unnecessary headache for this.

# Pick or create a project
gcloud projects create my-gemini-project        # or use an existing one
gcloud config set project my-gemini-project

# Make sure billing (with your credits) is linked, then enable the API
gcloud services enable aiplatform.googleapis.com

Confirm in the console that your credits are applied to this project's billing account. This is the part that makes the credits actually pay for Vertex usage.


Step 1: Local development, just log in

On your own machine, you don't need a key file at all. You log in once and ADC handles the rest.

# Install the gcloud CLI first if you haven't:
# https://cloud.google.com/sdk/docs/install

gcloud auth application-default login

A browser window opens, you pick your Google account, and gcloud writes credentials to a well-known location on disk (~/.config/gcloud/application_default_credentials.json). From now on, any Google client library running as you finds them automatically.

One gotcha: if you previously set GOOGLE_API_KEY or GEMINI_API_KEY in your shell, unset them: the SDK will prefer a key over ADC and you'll wonder why nothing changed.

unset GOOGLE_API_KEY
unset GEMINI_API_KEY

Calling Gemini through Vertex with the new SDK

Google's current, unified library is google-genai. The trick is to flip it into Vertex mode. You do that either with constructor arguments or three environment variables.

npm install @google/genai

export GOOGLE_GENAI_USE_VERTEXAI=true
export GOOGLE_CLOUD_PROJECT="my-gemini-project"
export GOOGLE_CLOUD_LOCATION="global"

import { GoogleGenAI } from "@google/genai";

// vertexai: true tells the SDK to use the Vertex backend (ADC),
// not the AI Studio key backend.
const ai = new GoogleGenAI({
  vertexai: true,
  project: process.env.GOOGLE_CLOUD_PROJECT,
  location: process.env.GOOGLE_CLOUD_LOCATION ?? "global",
});

const response = await ai.models.generateContent({
  model: "gemini-3.1-flash-lite",
  contents: "Why is the sky blue?",
});

console.log(response.text);

Run it. If it returns text, your credits (not a credit card) just paid for that call. Notice what's not there: no API key. The client picks up your gcloud login through ADC.

Why global? Not every model is available in every region, and trying to call one that isn't deployed in your chosen region is a classic source of 404s. The global endpoint routes your request to wherever the model actually lives, so it's the safest default while you're getting started. Once you have a reason to pin a region (data residency, latency), switch GOOGLE_CLOUD_LOCATION to something like us-central1 and confirm your model is offered there.


Step 2: A real server, the sa-key.json approach

Your laptop login won't follow you onto a production box. A server isn't "you," and you don't want to run an interactive browser login on it. The standard answer is a service account: a non-human identity that owns a downloadable JSON key.

Create the service account and key

# 1. Create the service account
gcloud iam service-accounts create gemini-runner \
  --display-name="Gemini Vertex runner"

# 2. Grant it permission to call Vertex AI
gcloud projects add-iam-policy-binding my-gemini-project \
  --member="serviceAccount:gemini-runner@my-gemini-project.iam.gserviceaccount.com" \
  --role="roles/aiplatform.user"

# 3. Create and download the key
gcloud iam service-accounts keys create sa-key.json \
  --iam-account="gemini-runner@my-gemini-project.iam.gserviceaccount.com"

The role you want is roles/aiplatform.user ("Vertex AI User"). It's enough to call models and not much else. Don't hand it Owner.

Use the key on the server

Copy sa-key.json onto the server (over SCP, a secrets manager, your deploy pipeline, not into your git repo), lock down its permissions, and point ADC at it:

chmod 600 sa-key.json
export GOOGLE_APPLICATION_CREDENTIALS="/etc/secrets/sa-key.json"
export GOOGLE_GENAI_USE_VERTEXAI=true
export GOOGLE_CLOUD_PROJECT="my-gemini-project"
export GOOGLE_CLOUD_LOCATION="global"

Your application code does not change. The exact same new GoogleGenAI({ vertexai: true, ... }) from Step 1 now authenticates as the service account, because ADC found GOOGLE_APPLICATION_CREDENTIALS first in its lookup order.

That's the elegance of ADC: locally it's your login, on the server it's the key file, and the code is identical.

If your server is itself a Google Cloud resource (Compute Engine, Cloud Run, GKE), skip the key file entirely. Attach the service account to the resource and ADC reads credentials straight from the metadata server. No key to leak, no key to rotate. Prefer this whenever you can.

Treat that key like a password

A service-account JSON key is a long-lived secret. If it leaks, someone can burn your credits (or worse).

  • Never commit it. Add sa-key.json to .gitignore immediately.
  • chmod 600 it, store it via your platform's secret manager.
  • Rotate it periodically and delete keys you no longer use:
  gcloud iam service-accounts keys list \
    --iam-account="gemini-runner@my-gemini-project.iam.gserviceaccount.com"


Step 3: Deploying on Vercel (and other serverless hosts)

Vercel is where people get stuck, because there's no shell to run gcloud auth login and no persistent filesystem to drop a sa-key.json onto. Serverless functions are ephemeral.

The pattern that works: don't ship a file; ship the file's contents as an environment variable, then either hand them to the SDK directly or write them to the temp directory at startup.

Option A: write the key to /tmp at boot (works on the Node.js runtime)

Put the entire JSON of your sa-key.json into a Vercel environment variable called, say, GCP_SA_KEY. Then, before you create the client:

import { writeFileSync } from "node:fs";
import { GoogleGenAI } from "@google/genai";

// Reconstruct the key file in the only writable place: /tmp
const keyPath = "/tmp/sa-key.json";
writeFileSync(keyPath, process.env.GCP_SA_KEY!);
process.env.GOOGLE_APPLICATION_CREDENTIALS = keyPath;

const ai = new GoogleGenAI({
  vertexai: true,
  project: process.env.GOOGLE_CLOUD_PROJECT,
  location: process.env.GOOGLE_CLOUD_LOCATION ?? "global",
});

/tmp is the one writable path in most serverless runtimes, and ADC happily reads the key from there.

Option B: pass credentials in memory (better for Edge / no filesystem)

Edge runtimes are stripped-down: no fs, no Node built-ins. There, pass the parsed credentials object straight into the auth layer instead of relying on a file. If you use the Vercel AI SDK's Google Vertex provider, it's built for exactly this: you feed it the client_email, private_key, and project from your service-account JSON via env vars, and it never touches disk.

# Vercel env vars (from the fields inside your sa-key.json)
GOOGLE_VERTEX_PROJECT=my-gemini-project
GOOGLE_VERTEX_LOCATION=global
GOOGLE_CLIENT_EMAIL=gemini-runner@my-gemini-project.iam.gserviceaccount.com
GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"

import { createVertex } from "@ai-sdk/google-vertex/edge";
import { generateText } from "ai";

const vertex = createVertex({
  project: process.env.GOOGLE_VERTEX_PROJECT,
  location: process.env.GOOGLE_VERTEX_LOCATION,
  googleCredentials: {
    clientEmail: process.env.GOOGLE_CLIENT_EMAIL!,
    privateKey: process.env.GOOGLE_PRIVATE_KEY!,
  },
});

const { text } = await generateText({
  model: vertex("gemini-3.1-flash-lite"),
  prompt: "Summarize ADC in one sentence.",
});

console.log(text);

Watch the GOOGLE_PRIVATE_KEY newlines. Pasting the multi-line PEM into a dashboard often mangles them. The usual fix is to store it with literal \n and call .replace(/\\n/g, "\n") before use.

The same two options apply to Netlify, AWS Lambda, Cloud Functions, and friends. The principle never changes: get the credentials into the environment, let ADC find them.


Bonus: it's not just Gemini

Once you're on Vertex AI, you're not limited to Gemini. The same project, the same credits, and the exact same ADC setup also get you Anthropic's Claude models, Llama, Mistral, and a pile of other open-source models through Vertex's Model Garden, billed against the same credit balance, with no change to your authentication code. You simply swap the model ID and how you call it.


Hopefully this provides some clarity if the Google docs aren't clear enough, as they weren't for me.