Blog

Fix OpenClaw Vertex ADC No API Key Found in Google Cloud

Problem statement: you configured OpenClaw with the Google Vertex AI provider using Application Default Credentials (ADC), but it throws "No API key found" errors even though your gcloud CLI and ADC setup work fine elsewhere. The provider should be using your service account or user credentials through ADC, but instead it's looking for an explicit API key that doesn't exist.

Recent reports
  • Issue #56253 (2026-03-28): google-vertex provider ignores ADC credentials.
  • Self-hosted deployments: GOOGLE_APPLICATION_CREDENTIALS is set but provider still reports missing API key.
  • Cloud environments: Workload Identity and service account auth work for other tools but fail in OpenClaw Vertex.

Why Google Vertex ADC auth fails in OpenClaw

Google Cloud supports multiple authentication paths for Vertex AI. Application Default Credentials (ADC) automatically find credentials from environment variables, well-known file paths, or the metadata service. This works seamlessly with gcloud CLI, Cloud SDKs, and most Google integrations.

The problem occurs when the OpenClaw google-vertex provider implementation doesn't fully support ADC credential discovery. Instead of checking the standard GOOGLE_APPLICATION_CREDENTIALS environment variable or service account paths, the provider may only look for an explicit API key field. This causes a mismatch: your credentials are valid and ADC works everywhere else, but OpenClaw still reports "No API key found."

Understanding Google's three auth paths for Gemini/Vertex

Confusion often comes from mixing up Google's multiple auth options. OpenClaw's landing documentation explicitly distinguishes these paths:

  • Google Gemini API: Uses AI Studio API keys. This is the simplest path and works reliably in OpenClaw Setup.
  • Google Gemini CLI: Uses the google-gemini-cli provider with subscription-style auth. Requires a credential JSON payload.
  • Vertex AI: Enterprise Google Cloud path that typically uses ADC, service accounts, or workload identity. This is where the reported issue occurs.

The provider split implementation in OpenClaw shows these as separate backend providers with different auth expectations. When you choose Vertex AI, you're opting into the enterprise auth flow—but if that flow has an ADC bug, you get the "No API key found" error.

Evidence from the field: provider split and auth handling

First-party implementation worklogs confirm that Google providers were split into separate auth-mode variants, each with different credential expectations. The google-gemini-cli provider exists alongside the standard google API key provider, and runtime canonicalization maps split providers to canonical runtime providers for model validation and auth profile generation.

What our implementation confirmed

  • Provider split created separate backend providers: anthropic-claude-code and google-gemini-cli for auth-mode variants.
  • Runtime canonicalization handles provider ID normalization for default-model and provider compatibility.
  • Dashboard AI Model section supports real split provider IDs for add/edit/default-model filtering.
  • Auth profile generation uses runtime canonical provider IDs, but ADC-style auth for Vertex may not follow the same pattern as API key auth.

This suggests the google-vertex provider may have incomplete ADC support compared to how API key-based providers handle credentials.

Fast triage: confirm the ADC issue in 10 minutes

  1. Verify ADC works outside OpenClaw: run gcloud auth application-default print-access-token to confirm ADC is functional.
  2. Check environment variables: verify GOOGLE_APPLICATION_CREDENTIALS points to a valid service account key file.
  3. Test with explicit API key: temporarily switch to Google Gemini API with an AI Studio key to isolate whether the problem is ADC-specific.
  4. Review OpenClaw logs: look for the exact error message and stack trace when Vertex AI provider initializes.
  5. Check provider configuration: confirm you selected the correct Google provider variant in OpenClaw's configuration.

If ADC works everywhere except OpenClaw, and switching to a direct API key fixes it, you've confirmed the google-vertex provider ADC issue.

Step-by-step diagnostic and fix playbook

Step 1: Verify your ADC configuration is actually valid

Before assuming this is an OpenClaw bug, confirm that your ADC setup works. Run gcloud auth application-default print-access-token. If this fails, fix your gcloud/ADC setup first. If it succeeds, your credentials are valid and the problem is in how OpenClaw's google-vertex provider reads them.

Step 2: Check GOOGLE_APPLICATION_CREDENTIALS path

Verify that the GOOGLE_APPLICATION_CREDENTIALS environment variable points to an existing, readable service account JSON key file. Test file permissions and confirm the JSON is valid. If you're using workload identity or implicit ADC, make sure the OpenClaw runtime environment has access to the metadata service.

Step 3: Switch to Google Gemini API as a workaround

If you don't specifically need Vertex AI enterprise features, the fastest fix is to switch to Google Gemini API. Get an API key from Google AI Studio, then configure OpenClaw with the Google Gemini API provider instead of google-vertex. This provider uses explicit API keys and bypasses the ADC issue entirely.

Step 4: Try explicit service account key instead of ADC

Some deployments work around ADC bugs by using an explicit service account key JSON instead of relying on ADC environment variables. Export your service account key from Google Cloud, save it to a file, and configure OpenClaw to use the key file path directly rather than depending on GOOGLE_APPLICATION_CREDENTIALS discovery.

Step 5: Check for environment variable propagation issues

If you're running OpenClaw in Docker or a containerized environment, verify that GOOGLE_APPLICATION_CREDENTIALS is actually propagated into the container. Check docker-compose.yml or Kubernetes deployment configs to ensure the environment variable is passed through. Container restarts may be required after changing environment variables.

Step 6: Verify google-vertex provider selection in OpenClaw config

Review your OpenClaw instance configuration to confirm which Google provider is selected. The provider split means google, google-gemini-cli, and potentially google-vertex are different options. If you intended to use ADC-style auth, ensure you're using the correct provider variant that supports it.

Practical diagnostics teams skip (and regret skipping)

  • Assuming ADC "just works" without testing: ADC setup can be tricky, and silent failures are common if paths or permissions are wrong.
  • Not verifying gcloud works first: if gcloud can't get a token, OpenClaw definitely won't be able to use ADC.
  • Confusing Vertex AI with Gemini API: these are different Google services with different auth mechanisms and endpoints.
  • Forgetting container environment isolation: environment variables set on the host don't automatically appear in containers.
  • Missing that service account keys expire: service account keys have expiration dates and rotation requirements that can cause sudden auth failures.

Edge cases that can mislead your debugging

Not every "No API key found" error with Google providers is caused by the ADC issue. Watch for these edge cases:

  • Wrong provider variant selected: choosing google-gemini-cli when you meant google API key, or vice versa.
  • Vertex AI API not enabled: some Google Cloud projects need Vertex AI API explicitly enabled before ADC tokens can access it.
  • Service account lacks Vertex AI permissions: the service account may exist but not have the necessary Vertex AI user/admin roles.
  • Quota or billing issues: even with valid auth, Vertex API calls fail if the project has billing issues or quota limits.
  • Mixed auth confusion: trying to use both API key and ADC simultaneously, which can cause unpredictable behavior.

How to verify the fix is working

  1. Vertex AI provider initializes without "No API key found" errors.
  2. Test prompts successfully complete using Vertex AI models like gemini-pro or gemini-ultra.
  3. Token usage tracking shows Vertex API calls being logged properly.
  4. Google Cloud console shows API requests from your service account or authenticated user.
  5. Future OpenClaw restarts maintain auth without requiring manual intervention.

Common mistakes that prolong this issue

  • Spending hours debugging ADC when switching to Gemini API with a key would solve the immediate problem.
  • Not isolating whether the issue is OpenClaw-specific by testing ADC with other tools first.
  • Assuming all Google providers work the same way when API key, CLI, and Vertex auth are fundamentally different.
  • Forgetting to restart OpenClaw after changing environment variables or service account keys.
  • Using an API key in the ADC field or vice versa, which creates authentication mismatches.

Prevention: stable Google provider configuration for OpenClaw

For most OpenClaw deployments, Google Gemini API with an AI Studio key is the most stable and predictable option. Reserve Vertex AI and ADC for deployments that specifically need enterprise Google Cloud features. If you must use Vertex, set up monitoring to detect auth failures early and have a fallback plan to switch providers. Review /openclaw-setup/ for stable configuration patterns.

When to consider managed hosting

Provider auth management adds operational overhead, especially with complex setups like Vertex ADC. If you spend more time debugging Google Cloud auth than using AI agents, managed hosting may reduce the burden. Hosted environments handle provider auth, credential rotation, and environment configuration at the platform level. Compare tradeoffs at /compare/. If you want Vertex AI without managing auth plumbing yourself, review /openclaw-cloud-hosting/.

Fix once. Stop recurring Vertex ADC credential issues.

If this keeps coming back, you can move your existing setup to managed OpenClaw cloud hosting instead of rebuilding the same stack. Import your current instance, keep your context, and move onto a runtime with lower ops overhead.

  • Import flow in ~1 minute
  • Keep your current instance context
  • Run with managed security and reliability defaults

If you would rather compare options first, review OpenClaw cloud hosting or see the best OpenClaw hosting options before deciding.

OpenClaw import first screen in OpenClaw Setup dashboard (light theme) OpenClaw import first screen in OpenClaw Setup dashboard (dark theme)
1) Paste import payload
OpenClaw import completed screen in OpenClaw Setup dashboard (light theme) OpenClaw import completed screen in OpenClaw Setup dashboard (dark theme)
2) Review and launch

FAQ

Is Vertex AI required for Gemini models in OpenClaw?

No. Gemini models work through Google Gemini API with AI Studio keys. Vertex AI is an enterprise path that adds Google Cloud integration but isn't required for basic Gemini access. If you're hitting auth issues with Vertex, switch to Google Gemini API.

Should I use service account keys or workload identity?

Workload identity is more secure but requires proper Kubernetes or Cloud Run setup. Service account keys are simpler but create key management overhead. For OpenClaw self-hosted setups, API keys are often simpler than either option unless you have specific enterprise requirements.

Does this affect other Google providers like google-gemini-cli?

Reports specifically mention the google-vertex provider with ADC. The google-gemini-cli provider uses a different auth flow (credential JSON payload) and doesn't rely on ADC the same way. If you're using google-gemini-cli, you may not see this issue.

Sources

  • OpenClaw issue #56253 (opened 2026-03-28) — google-vertex provider ignores ADC credentials
  • First-party documentation: landing/src/pages/blog/tutorials/gemini.astro — distinguishes Google Gemini API, Gemini CLI, and Vertex AI
  • First-party implementation: docs/worklog/2026-02-12-provider-split-anthropic-google.md — provider split for auth-mode variants
  • Product specification: docs/SPEC.md sections 5 and 7 — OpenClaw-native auth and instance configuration
Cookie preferences