This article covers authentication credentials when developing applications on Google Cloud.
When you run the gcloud auth application-default login command locally, you may see a warning like this:
WARNING:
Cannot add the project "dazzling-pillar-4369" to ADC as the quota project because the account in ADC does not have the "serviceusage.services.use" permission on this project. You might receive a "quota_exceeded" or "API not enabled" error. Run $ gcloud auth application-default set-quota-project to add a quota project.
This article explains the meaning, cause, and recommended practices related to this warning.
What Are Application Default Credentials (ADC)?
Application Default Credentials (ADC) are a mechanism for obtaining default credentials for applications to access Google Cloud services and APIs.
With ADC, applications can automatically discover the appropriate credentials depending on their environment:
- If the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable is set, the service account key or config file at that path is used. - Otherwise, credentials saved via the
gcloud auth application-default logincommand (user credentials saved locally in the ADC file) are used. - If neither is present, the default service account credentials for the environment (e.g., GCE or GKE) are retrieved from the metadata server.
ADC allows developers to access Google Cloud resources without hardcoding credentials.
When running gcloud auth application-default login locally, a credentials file is created (usually at ~/.config/gcloud/application_default_credentials.json), which is then used by client libraries.
Note: As mentioned in point 2 above, the gcloud auth application-default login command uses the permissions of your user account.
If you want your application to impersonate a specific service account, use gcloud auth application-default login --impersonate-service-account.
Understanding the Quota Project Warning
The warning shown at the start of this article relates to the Quota Project used with ADC.
- The project ID
"dazzling-pillar-4369"could not be set as the Quota Project because the account used by ADC lacks theserviceusage.services.usepermission on that project. - As a result, errors like
quota_exceededorAPI not enabledmay occur. - The recommended fix is to run
gcloud auth application-default set-quota-projectto explicitly set the Quota Project.
Let’s clarify what a “Quota Project” is.
There are two types of Google Cloud APIs: resource-based and client-based (Troubleshoot your ADC setup).
- Resource-based APIs use the settings and quotas of the project containing the resource.
- Client-based APIs, since they aren’t tied to a specific project, require explicit specification of the Quota Project (also referred to as the billing project).
When using user credentials (rather than a service account), client libraries require you to specify which project should be used for quota and billing purposes.
When gcloud auth application-default login is executed, the Cloud SDK attempts to associate the current project as the Quota Project for ADC.
However, if the user credentials (e.g., a Viewer role) do not include serviceusage.services.use permission for that project, this association fails, resulting in the warning message.
Reference – ADC Troubleshooting Docs
What Is serviceusage.services.use?
This is a permission required to use (and be billed for) services within a specific project.
It is included in the Service Usage Consumer role (roles/serviceusage.serviceUsageConsumer).
Viewer roles do not include this permission. So if your credentials only allow viewing a project, you cannot set it as a Quota Project.
As a side note, the warning mentions the following two possible errors if a Quota Project is not set:
quota_exceededAPI not enabled
You might wonder why quota_exceeded would occur if no project is associated.
It turns out that in the absence of a properly set Quota Project, some client-based API calls fall back to a shared Google-owned quota project (StackOverflow, Google Cloud Medium article).
If this fallback project doesn’t have the necessary APIs enabled, you may also see API not enabled.
Official documentation also mentions a mysterious fallback project ID (link), which is likely the shared quota project.
How to Set the Quota Project for ADC
First, ensure the account used by ADC has the serviceusage.services.use permission on the project you want to use.
Grant the Service Usage Consumer role:
gcloud projects add-iam-policy-binding <PROJECT_ID>
--member="user:<your-email@example.com>"
--role="roles/serviceusage.serviceUsageConsumer"
This gives the necessary permission to use the project’s services, allowing it to be set as the Quota Project.
Then, set the Quota Project in ADC:
gcloud auth application-default set-quota-project <PROJECT_ID>
This updates your local ADC file with a quota_project_id field.
From then on, any API calls made using ADC will use this project for billing and quota tracking.
Best Practices for Project Configuration
To prevent these types of errors in the future, here are some best practices:
Set a Default Quota Project in gcloud Configuration
While running gcloud auth application-default set-quota-project manually each time works, it can be tedious.
Instead, you can set the quota project in your gcloud config:
gcloud config set billing/quota_project <PROJECT_ID>
This ensures any future ADC credentials will automatically use this project.
Consider Using Service Accounts
For long-lived automated processes like CI/CD pipelines, using service accounts is better than user-based ADC.
With service accounts, you can assign only the necessary IAM roles and explicitly define the quota project.
Don’t Ignore Warnings or Errors
This last point is more of a mindset: don’t ignore warnings like these.
If left unresolved, your application may rely on fallback shared projects and break unexpectedly when quotas are hit or APIs are disabled.
Understanding and fixing such issues helps you prevent incidents, deepen your knowledge, and improve team technical strength.
Conclusion
Starting with a common ADC warning message, we explored what a Quota Project is, how to configure it, and some best practices for stable development.
Failing to set a proper Quota Project can result in unexpected errors and usage being billed to Google’s fallback project.
Setting a correct quota project ensures your API calls are tracked and billed properly under your own project.