ADC is not a credential. ADC is a method of finding credentials.
Google Cloud Application Default Credentials
App Engine Standard uses one default service account per project. All App Engine Standard services in a project use the same service account. You can modify the default service account but you cannot change the default service account to use a different service account (as you can with Compute Engine).
If you decide to create a new service account for usage within your application, do not store the service account in your application. This means forget about GOOGLE_APPLICATION_CREDENTIALS. Instead, store the service account in Google Secret Manager (better) or Google Cloud Storage (OK with the right permissions). Load the service account JSON data during application startup.
just a follow up question: when I do "gcloud app deploy" this will set the default service account regardless of how I'm authenticated to gcloud correct? in other words, if I "gcloud auth login" as any service account, this service account will not be used inside app engine?
@Arximede Your
app deploywill not change the App Engine service account. The credentials that you use to publish an application do not affect the credentials the application uses. Your credentials are separate from Google App Engine credentials.