feat(cli): support --from-gcloud-adc for google-cloud providers

Widen --from-gcloud-adc to accept google-cloud providers. The ADC
credential key is derived from the provider profile rather than
hardcoded per type, so future GCP provider types get ADC support by
declaring the right refresh metadata in their profile YAML.

Add ProviderTypeProfile::adc_credential() to find the ADC-compatible
credential from a profile's refresh metadata. Remove unused
VERTEX_AI_ADC_TOKEN_KEY and GCP_ADC_TOKEN_KEY constants.

Signed-off-by: Robert Sturla <rsturla@redhat.com>

Author: p5

crates/openshell-cli/src/main.rs

@@ -740,7 +740,7 @@ enum ProviderCommands {
 
         /// Configure credentials from gcloud Application Default Credentials
         /// (`~/.config/gcloud/application_default_credentials.json`).
-        /// Only valid for google-vertex-ai providers.
+        /// Valid for providers whose profile declares an ADC-compatible credential.
         #[arg(long, group = "cred_source", conflicts_with_all = ["from_existing", "credentials", "runtime_credentials"])]
         from_gcloud_adc: bool,
 

crates/openshell-cli/src/run.rs

@@ -4347,7 +4347,7 @@ fn read_gcloud_adc() -> Result<(String, String, String)> {
     Ok((client_id, client_secret, refresh_token))
 }
 
-async fn rollback_provider_create_after_vertex_adc_failure(
+async fn rollback_provider_create_after_gcloud_adc_failure(
     client: &mut crate::tls::GrpcClient,
     provider_name: &str,
     stage: &str,
@@ -4360,7 +4360,7 @@ async fn rollback_provider_create_after_vertex_adc_failure(
         .await
     {
         Ok(_) => Err(miette!(
-            "failed to {stage} Vertex AI credentials from gcloud ADC for provider '{provider_name}': {source}. \
+            "failed to {stage} credentials from gcloud ADC for provider '{provider_name}': {source}. \
              The provider was rolled back successfully."
         )),
         Err(cleanup_err) => {
@@ -4374,7 +4374,7 @@ async fn rollback_provider_create_after_vertex_adc_failure(
                 provider_name
             );
             Err(miette!(
-                "failed to {stage} Vertex AI credentials from gcloud ADC for provider '{provider_name}': {source}. \
+                "failed to {stage} credentials from gcloud ADC for provider '{provider_name}': {source}. \
                  Cleanup also failed, so the provider may still exist. \
                  Run 'openshell provider delete {provider_name}' to remove it manually."
             ))
@@ -4483,6 +4483,9 @@ async fn discover_existing_provider_data(
 /// Canonical provider type string for Google Vertex AI.
 const VERTEX_AI_PROVIDER_TYPE: &str = "google-vertex-ai";
 
+/// Canonical provider type string for Google Cloud (GCP APIs).
+const GOOGLE_CLOUD_PROVIDER_TYPE: &str = "google-cloud";
+
 fn missing_credentials_error(provider_type: &str) -> miette::Report {
     if provider_type == VERTEX_AI_PROVIDER_TYPE {
         return miette::miette!(
@@ -4493,6 +4496,14 @@ fn missing_credentials_error(provider_type: &str) -> miette::Report {
         );
     }
 
+    if provider_type == GOOGLE_CLOUD_PROVIDER_TYPE {
+        return miette::miette!(
+            "no credentials resolved for provider type '{provider_type}'. \
+             Set GCP_ADC_ACCESS_TOKEN or GCP_SA_ACCESS_TOKEN; \
+             or use --from-gcloud-adc / --from-existing with those env vars set."
+        );
+    }
+
     miette::miette!(
         "no credentials resolved for provider type '{provider_type}'. \
          Use --credential KEY[=VALUE], --runtime-credentials for runtime-resolved profile credentials, \
@@ -4583,11 +4594,34 @@ pub async fn provider_create_with_options(
         }
     };
 
-    if from_gcloud_adc && provider_type != VERTEX_AI_PROVIDER_TYPE {
-        return Err(miette::miette!(
-            "--from-gcloud-adc is only valid for google-vertex-ai providers"
-        ));
-    }
+    let adc_credential_key = if from_gcloud_adc {
+        let profile =
+            openshell_providers::get_default_profile(&provider_type).ok_or_else(|| {
+                miette::miette!(
+                    "--from-gcloud-adc requires a built-in provider profile, \
+                 but '{provider_type}' has none"
+                )
+            })?;
+        let adc_cred = profile.adc_credential().ok_or_else(|| {
+            miette::miette!(
+                "--from-gcloud-adc is not supported for '{provider_type}' providers \
+                 (no ADC-compatible credential in the provider profile)"
+            )
+        })?;
+        Some(
+            adc_cred
+                .env_vars
+                .first()
+                .ok_or_else(|| {
+                    miette::miette!(
+                        "ADC credential in '{provider_type}' profile has no env_vars declared"
+                    )
+                })?
+                .clone(),
+        )
+    } else {
+        None
+    };
 
     let mut credential_map = parse_credential_pairs(credentials)?;
     let mut config_map = parse_key_value_pairs(config, "--config")?;
@@ -4636,10 +4670,12 @@ pub async fn provider_create_with_options(
     }
 
     // Validate and read the ADC file BEFORE creating the provider so that
-    // a bad/missing ADC does not leave an orphan provider behind.
-    let gcloud_adc_material = if from_gcloud_adc {
+    // a bad/missing ADC does not leave an orphan provider behind. Bundle the
+    // credential key with the material so they stay coupled.
+    let gcloud_adc_bootstrap = if from_gcloud_adc {
         let (client_id, client_secret, refresh_token) = read_gcloud_adc()?;
-        Some((client_id, client_secret, refresh_token))
+        let key = adc_credential_key.expect("set when from_gcloud_adc is true");
+        Some((key, client_id, client_secret, refresh_token))
     } else {
         None
     };
@@ -4669,7 +4705,9 @@ pub async fn provider_create_with_options(
         .ok_or_else(|| miette::miette!("provider missing from response"))?;
     let provider_name = provider.object_name().to_string();
 
-    if let Some((client_id, client_secret, refresh_token)) = gcloud_adc_material {
+    if let Some((adc_credential_key, client_id, client_secret, refresh_token)) =
+        gcloud_adc_bootstrap
+    {
         let mut material = HashMap::new();
         material.insert("client_id".to_string(), client_id);
         material.insert("client_secret".to_string(), client_secret);
@@ -4678,7 +4716,7 @@ pub async fn provider_create_with_options(
         if let Err(configure_err) = client
             .configure_provider_refresh(ConfigureProviderRefreshRequest {
                 provider: provider_name.clone(),
-                credential_key: openshell_core::inference::VERTEX_AI_ADC_TOKEN_KEY.to_string(),
+                credential_key: adc_credential_key.clone(),
                 strategy: ProviderCredentialRefreshStrategy::Oauth2RefreshToken as i32,
                 material,
                 secret_material_keys: vec![
@@ -4689,7 +4727,7 @@ pub async fn provider_create_with_options(
             })
             .await
         {
-            return rollback_provider_create_after_vertex_adc_failure(
+            return rollback_provider_create_after_gcloud_adc_failure(
                 &mut client,
                 &provider_name,
                 "configure",
@@ -4701,11 +4739,11 @@ pub async fn provider_create_with_options(
         if let Err(rotate_err) = client
             .rotate_provider_credential(RotateProviderCredentialRequest {
                 provider: provider_name.clone(),
-                credential_key: openshell_core::inference::VERTEX_AI_ADC_TOKEN_KEY.to_string(),
+                credential_key: adc_credential_key,
             })
             .await
         {
-            return rollback_provider_create_after_vertex_adc_failure(
+            return rollback_provider_create_after_gcloud_adc_failure(
                 &mut client,
                 &provider_name,
                 "mint the initial access token for",
@@ -4715,9 +4753,7 @@ pub async fn provider_create_with_options(
         }
 
         println!("{} Created provider {}", "✓".green().bold(), provider_name);
-        println!(
-            "Configured Vertex AI credentials from gcloud ADC and minted the initial access token"
-        );
+        println!("Configured GCP credentials from gcloud ADC and minted the initial access token");
         return Ok(());
     }
 

crates/openshell-cli/tests/provider_commands_integration.rs

@@ -2234,8 +2234,7 @@ async fn provider_create_from_gcloud_adc_rejects_wrong_provider_type_before_cred
     .expect_err("wrong provider type should fail before generic credential validation");
 
     assert!(
-        err.to_string()
-            .contains("--from-gcloud-adc is only valid for google-vertex-ai providers"),
+        err.to_string().contains("--from-gcloud-adc"),
         "unexpected error: {err}"
     );
     assert!(ts.state.providers.lock().await.is_empty());

crates/openshell-core/src/inference.rs

@@ -102,12 +102,6 @@ pub const VERTEX_AI_CREDENTIAL_KEY_NAMES: &[&str] = &[
     "VERTEX_AI_TOKEN",
 ];
 
-/// The credential key used for tokens minted from gcloud Application Default Credentials.
-///
-/// This is the key written by the gateway's `OAuth2` refresh worker when using the
-/// `--from-gcloud-adc` CLI flow. It must match `VERTEX_AI_CREDENTIAL_KEY_NAMES[2]`.
-pub const VERTEX_AI_ADC_TOKEN_KEY: &str = "GOOGLE_VERTEX_AI_TOKEN";
-
 /// GCP project ID config key for Vertex AI providers.
 pub const VERTEX_AI_PROJECT_ID_KEY: &str = "VERTEX_AI_PROJECT_ID";
 

crates/openshell-providers/src/profiles.rs

@@ -371,6 +371,25 @@ impl ProviderTypeProfile {
         has_runtime_resolvable_credential
     }
 
+    /// Returns the credential suitable for `--from-gcloud-adc` bootstrap, if any.
+    ///
+    /// A credential qualifies when its refresh strategy is `Oauth2RefreshToken`
+    /// and its material declares the three gcloud ADC keys (`client_id`,
+    /// `client_secret`, `refresh_token`).
+    #[must_use]
+    pub fn adc_credential(&self) -> Option<&CredentialProfile> {
+        const ADC_MATERIAL_KEYS: &[&str] = &["client_id", "client_secret", "refresh_token"];
+
+        self.credentials.iter().find(|cred| {
+            cred.refresh.as_ref().is_some_and(|refresh| {
+                refresh.strategy == ProviderCredentialRefreshStrategy::Oauth2RefreshToken
+                    && ADC_MATERIAL_KEYS
+                        .iter()
+                        .all(|key| refresh.material.iter().any(|m| m.name == *key))
+            })
+        })
+    }
+
     #[must_use]
     pub fn to_proto(&self) -> ProviderProfile {
         ProviderProfile {
@@ -1790,6 +1809,73 @@ credentials:
         assert!(!static_only_profile.allows_empty_provider_credentials());
     }
 
+    #[test]
+    fn adc_credential_returns_oauth2_refresh_token_credential_with_adc_material() {
+        let profile = get_default_profile("google-cloud").expect("google-cloud profile");
+        let adc = profile
+            .adc_credential()
+            .expect("google-cloud should have an ADC credential");
+        assert_eq!(adc.env_vars[0], "GCP_ADC_ACCESS_TOKEN");
+
+        let profile = get_default_profile("google-vertex-ai").expect("vertex profile");
+        let adc = profile
+            .adc_credential()
+            .expect("vertex should have an ADC credential");
+        assert_eq!(adc.env_vars[0], "GOOGLE_VERTEX_AI_TOKEN");
+    }
+
+    #[test]
+    fn adc_credential_returns_none_for_profiles_without_adc() {
+        let profile = get_default_profile("github").expect("github profile");
+        assert!(profile.adc_credential().is_none());
+
+        let profile = get_default_profile("claude-code").expect("claude-code profile");
+        assert!(profile.adc_credential().is_none());
+    }
+
+    #[test]
+    fn adc_credential_rejects_service_account_jwt_strategy() {
+        let profile = parse_profile_yaml(
+            r"
+id: sa-only
+display_name: SA Only
+credentials:
+  - name: sa_token
+    env_vars: [SA_TOKEN]
+    refresh:
+      strategy: google_service_account_jwt
+      material:
+        - name: client_email
+        - name: private_key
+",
+        )
+        .expect("profile");
+        assert!(profile.adc_credential().is_none());
+    }
+
+    #[test]
+    fn adc_credential_requires_all_three_material_keys() {
+        let profile = parse_profile_yaml(
+            r"
+id: partial-material
+display_name: Partial Material
+credentials:
+  - name: token
+    env_vars: [TOKEN]
+    refresh:
+      strategy: oauth2_refresh_token
+      material:
+        - name: client_id
+        - name: client_secret
+",
+        )
+        .expect("profile");
+        assert!(
+            profile.adc_credential().is_none(),
+            "missing refresh_token material should not qualify"
+        );
+    }
+
     #[test]
     fn parse_profile_yaml_reads_single_provider_document() {
         let profile = parse_profile_yaml(

docs/providers/google-cloud.mdx

@@ -14,31 +14,23 @@ on loopback provides credential placeholders that the
 sandbox proxy resolves to real tokens at request time. The sandbox process
 never holds a real GCP credential.
 
-## Quick Start (Manual Token)
+## Quick Start
 
-If you already have `gcloud` configured, you can create a provider with a
-short-lived access token from Application Default Credentials. This is the
-fastest way to test GCP access in a sandbox.
+If you already have `gcloud` configured with Application Default Credentials,
+create a provider with automatic credential refresh in one command:
 
 ```shell
-export GCP_ADC_ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
-
 openshell provider create \
   --name my-gcp \
   --type google-cloud \
-  --from-existing \
+  --from-gcloud-adc \
   --config project_id="$(gcloud config get-value project)" \
   --config region=global
 ```
 
-<Note>
-The token from `gcloud auth application-default print-access-token` expires
-after approximately 60 minutes. To keep the provider alive beyond that,
-configure credential refresh using the
-[Application Default Credentials](#application-default-credentials-gcloud-adc)
-flow below. The manual token bootstraps the provider; the refresh config
-keeps it running.
-</Note>
+`--from-gcloud-adc` reads your ADC file, configures OAuth2 refresh on the
+gateway, and mints the first access token before the command returns. The
+gateway rotates the token automatically — no manual refresh needed.
 
 ## Authentication Flows
 

docs/providers/google-vertex-ai.mdx

@@ -68,7 +68,7 @@ openshell provider create \
 ADC-backed providers mint and rotate access tokens into `GOOGLE_VERTEX_AI_TOKEN`.
 
 <Note>
-`--from-gcloud-adc` is only valid for `google-vertex-ai` providers.
+`--from-gcloud-adc` is valid for `google-vertex-ai` and `google-cloud` providers.
 </Note>
 
 ## Configuration Keys