GbqConnector should be able to fetch default credentials on Google Compute Engine

doc/source/whatsnew/v0.19.0.txt

@@ -185,6 +185,8 @@ Using the anchoring suffix, you can also specify the day of month to use instead
 Other enhancements
 ^^^^^^^^^^^^^^^^^^
 
+- The ``.get_credentials()`` method of ``GbqConnector`` can now first try to fetch the default credentials for Google Compute Engine without the need to run ``OAuth2WebServerFlow`` - if private_key is not provided (:issue:`13577`)
+
 - The ``.tz_localize()`` method of ``DatetimeIndex`` and ``Timestamp`` has gained the ``errors`` keyword, so you can potentially coerce nonexistent timestamps to ``NaT``. The default behaviour remains to raising a ``NonExistentTimeError`` (:issue:`13057`)
 
 - ``Index`` now supports ``.str.extractall()`` which returns a ``DataFrame``, see :ref:`documentation here <text.extractall>` (:issue:`10008`, :issue:`13156`)

pandas/io/gbq.py

@@ -159,7 +159,47 @@ def get_credentials(self):
         if self.private_key:
             return self.get_service_account_credentials()
         else:
-            return self.get_user_account_credentials()
+            # Try to retrieve Application Default Credentials
+            project_id = self.project_id
+            credentials = self.get_application_default_credentials(project_id)
+            if not credentials:
+                credentials = self.get_user_account_credentials()
+            return credentials
+
+    @staticmethod
+    def get_application_default_credentials(project_id):  # pragma: no cover
+        """
+        Given a project_id tries to retrieve the
+        "default application credentials"
+        Could be useful for running code on Google Cloud Platform
+        """
+        credentials = None
+        try:
+            from oauth2client.client import GoogleCredentials
+            from oauth2client.client import AccessTokenRefreshError
+            from oauth2client.client import ApplicationDefaultCredentialsError
+            try:
+                from googleapiclient.discovery import build
+                from googleapiclient.errors import HttpError
+            except:
+                from apiclient.discovery import build
+                from apiclient.errors import HttpError
+        except ImportError:
+            return None
+
+        try:
+            credentials = GoogleCredentials.get_application_default()
+        except ApplicationDefaultCredentialsError:
+            return None
+        # Check if the application has rights to the BigQuery project
+        bigquery_service = build('bigquery', 'v2', credentials=credentials)
+        jobs = bigquery_service.jobs()
+        job_data = {'configuration': {'query': {'query': 'SELECT 1'}}}
+        try:
+            jobs.insert(projectId=project_id, body=job_data).execute()
+        except (AccessTokenRefreshError, HttpError, TypeError):
+            return None
+        return credentials
 
     def get_user_account_credentials(self):
         from oauth2client.client import OAuth2WebServerFlow
@@ -576,7 +616,9 @@ def read_gbq(query, project_id=None, index_col=None, col_order=None,
     https://developers.google.com/api-client-library/python/apis/bigquery/v2
 
     Authentication to the Google BigQuery service is via OAuth 2.0.
-    By default user account credentials are used. You will be asked to
+    By default "application default credentials" are used.
+    If default application credentials are not found or are restrictive -
+    User account credentials are used. You will be asked to
     grant permissions for product name 'pandas GBQ'. It is also posible
     to authenticate via service account credentials by using
     private_key parameter.
@@ -672,7 +714,9 @@ def to_gbq(dataframe, destination_table, project_id, chunksize=10000,
     https://developers.google.com/api-client-library/python/apis/bigquery/v2
 
     Authentication to the Google BigQuery service is via OAuth 2.0.
-    By default user account credentials are used. You will be asked to
+    By default "application default credentials" are used.
+    If default application credentials are not found or are restrictive -
+    User account credentials are used. You will be asked to
     grant permissions for product name 'pandas GBQ'. It is also posible
     to authenticate via service account credentials by using
     private_key parameter.

pandas/io/tests/test_gbq.py

@@ -80,6 +80,7 @@ def _test_imports():
                 from apiclient.discovery import build  # noqa
                 from apiclient.errors import HttpError  # noqa
 
+            from oauth2client.client import GoogleCredentials  # noqa
             from oauth2client.client import OAuth2WebServerFlow  # noqa
             from oauth2client.client import AccessTokenRefreshError  # noqa
 
@@ -188,6 +189,22 @@ def test_generate_bq_schema_deprecated():
         gbq.generate_bq_schema(df)
 
 
+def google_credentials_import():
+    try:
+        from oauth2client.client import GoogleCredentials
+        return GoogleCredentials
+    except ImportError:
+        return type(None)
+
+
+def test_should_be_able_to_get_credentials_from_default_credentials():
+    GoogleCredentials = google_credentials_import()
+    connector = gbq.GbqConnector
+    credentials = connector.get_application_default_credentials(PROJECT_ID)
+    valid_types = (type(None), GoogleCredentials)
+    assert isinstance(credentials, valid_types)
+
+
 class TestGBQConnectorIntegration(tm.TestCase):
 
     def setUp(self):