How can I disable default service account fallback using GOOGLE_APPLICATION_CREDENTIALS in my Spring Boot pod?

When your application uses the Google Cloud client libraries, setting the environment variable (GOOGLE_APPLICATION_CREDENTIALS) tells the library where to look for explicit credentials. However, in a Kubernetes pod running on GKE, if that file doesn’t exist or the credentials aren’t valid, the library may fall back to the credentials provided by the metadata server—which are based on the auto-mounted default service account. In your case, the default Service Account is still being injected into the pod, and its token is being used to authenticate and access BigQuery.

To enforce that your application does not fall back to the auto-mounted service account credentials and instead uses (or fails because of) the file specified by GOOGLE_APPLICATION_CREDENTIALS, you need to disable the automatic mounting of the service account token for the pod. This can be done by setting automountServiceAccountToken to false in your pod specification.

For example:

YAMLCopied
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  automountServiceAccountToken: false
  containers:
  - name: mycontainer
    image: myimage
    env:
      - name: GOOGLE_APPLICATION_CREDENTIALS
        value: /tmp/sa.json

With automountServiceAccountToken disabled, the default service account token will not be available in the pod. This forces your application to only have access to credentials provided via the file referenced by GOOGLE_APPLICATION_CREDENTIALS. In your test setup where the file is empty or missing, the authentication will then fail as expected instead of falling back on the default service account’s credentials.