Search code examples
.netgoogle-cloud-platformgcloudrecaptcha-v3recaptcha-enterprise

Google recaptcha enterprise: Your default credentials were not found

I'm setting up Google reCaptcha enterprise for my website (.NET MVC). It works fine on my dev environment, but on productions server it can't find the Application Default Credentials. What I get is this error message (in my application logs): "Your default credentials were not found".

I'm following Google's instructions here: https://cloud.google.com/docs/authentication/application-default-credentials#GAC

I've already tried both the following methods:

  • Setting the environment variable GOOGLE_APPLICATION_CREDENTIALS with the path to my .json credentials file. The file is stored in a folder outside from the IIS virtual directory. The folder has read permissions to the application pool identity (I've also tried giving permissions to Everyone, for good measure).

  • Installing and configuring gcloud CLI, setting the default project and running the gcloud auth application-default login command. It succesfully created the credentials file in Appdata\Roaming\gcloud\application_default_credentials.json.

  • Of course I've tried to restart both IIS and the whole server (Win Server 2022) after setting the environment variables.

My code is simply taken from google documentation

private const string _key = "<mykey>";
private const string _projectID = "<myprojectid>";

//Just caching my client, as suggested by google
internal RecaptchaEnterpriseServiceClient _client
{
    get
    {
        if (HttpContext.Current.Session["RecaptchaClient"] != null)
        {
            return (RecaptchaEnterpriseServiceClient)HttpContext.Current.Session["RecaptchaClient"];
        }
        else
        {
            var client = RecaptchaEnterpriseServiceClient.Create();
            HttpContext.Current.Session["RecaptchaClient"] = client;
            return client;
        }
    }
}


public Assessment Evaluate(string token = "action-token", string recaptchaAction = "action-name")
{

    ProjectName projectName = new ProjectName(_projectID);

    // Build the assessment request.
    CreateAssessmentRequest createAssessmentRequest = new CreateAssessmentRequest()
    {
        Assessment = new Assessment()
        {
            // Set the properties of the event to be tracked.
            Event = new Event()
            {
                SiteKey = _key,
                Token = token,
                ExpectedAction = recaptchaAction
            },
        },
        ParentAsProjectName = projectName
    };

    Assessment response = _client.CreateAssessment(createAssessmentRequest);
    return response;
}

Does anyone has any hint of what to try next?

Solution

  • Try using a service account for authentication as an alternative.

    Create a service account in GCP and download its JSON key file. Place the JSON key file in a secure location within your website's directory structure (ideally outside the webroot for security).

    Then update your code to use GoogleCredential.FromServiceAccountKeyFile to load credentials from the JSON key file instead of relying on ADCs.