Google Cloud Services extension pack for Quarkus

The Google Cloud Services extension pack provides Quarkus extensions for the following services:

They all share an optional common configuration property to set the project ID:<your-project-id>

If the project ID is not set, the extensions will default to using ServiceOptions.getDefaultProjectId() that will use the default project detected via Application Default Credentials.

All these extensions work with applications built as native image executables.

These extensions work well within the various Google Cloud Functions extensions available inside Quarkus as they directly authenticate via the built-in credentials, see the deploying to google cloud platform guide.

Dependency management

All Google Cloud services extensions are part of the Quarkus platform, if you’re using the platform BOM (io.quarkus.platform:quarkus-bom) there is no need to manage their version.

If you’re not using the platform BOM, you can use the Google Cloud services BOM to manage all versions:


Authenticating to Google Cloud

There are several ways to authenticate to Google Cloud, it depends on where your application runs (inside our outside Google Cloud Platform) and for which service.

The current authentication flow is as follows:

  • Check the property, if it exists, use the service account file from this location.

  • Check the property, if it exists, use the service account base64 encoded content.

  • Check the access token returned as part of OpenId Connect Authorization Code Grant response after a user has authenticated with Google OpenId Connect provider (see Quarkus OpenId Connect for Web Applications). This access token can be used to access Google Services on behalf of the currently authenticated user but will be ignored if the property is set to false.

  • Use GoogleCredentials.getApplicationDefault() that will search for credentials in multiple places:

  • Credentials file pointed to by the GOOGLE_APPLICATION_CREDENTIALS environment variable.

  • Credentials provided by the Google Cloud SDK gcloud auth application-default login command.

  • Google Cloud managed environment (Google App Engine, Google Cloud Functions, GCE, …​) built-in credentials.

Google PubSub and Google Bigtable should be authenticated using the GOOGLE_APPLICATION_CREDENTIALS environment variable, or use the provided CredentialsProvider when instantiating their objects.

Using Google Cloud services emulators

If you plan to use one of the Google Cloud services emulators (for running on localhost, or for testing purpose), on a non-authenticated environment, you’ll need to mock the Google Cloud authentication credentials, and optionally the CredentialsProvider if you’re using it (otherwise it will be removed by Quarkus CDI engine).

For testing, this can be done by creating a CDI producer that will produce a mocked bean (with Quarkus mock support and Mockito) to replace the Credentials and the CredentialsProvider beans.

import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Default;
import javax.enterprise.inject.Produces;
import javax.inject.Singleton;


import io.quarkus.test.Mock;

public class GoogleCredentialsMockProducer {

    public Credentials googleCredential() {
        return NoCredentials.getInstance();

  // only needed if you're injecting it inside one of your CDI beans
  public CredentialsProvider credentialsProvider() {
    return NoCredentialsProvider.create();

Example applications

Example applications can be found inside the integration-test folder of the GitHub repository:

  • main: RESTEasy endpoints using all the Google Cloud Services extensions, to be deployed as a standalone JAR.

  • google-cloud-functions: A Google Cloud HTTP function using Google Cloud Storage.

  • app-engine: A RESTEasy endpoint using Google Cloud Storage, to be deployed inside Google App Engine.

  • firebase-admin: RESTEasy endpoints using Firebase Admin SDK features, such as user management.