Get access token from google.oauth2.Credentials

Currently, I am building the async frontend to my TF2 model. Now it works as two services, 1st service is a twisted service, and 2nd service is a TensorFlow serving.

The async web client is being used to query the model asynchronously. For practical reasons, I’ve deployed the model into the GCP AI Platform, and I can get data from it using the python code from examples, and it is okay.

But the thing is that the Google API client is synchronous, and I would like to use the asynchronous client. Since, AFAIK, there are no actively supported async clients for GCP, I tried to get straightforward and use REST. The model input is the same on TensorFlow serving (GCP AI Platform uses TensorFlow serving internally, I believe).

To perform the async call, I need to have:

  1. Model URL. (I have it)
  2. Input data. (I also have it)
  3. Access token.

I saw some examples that are:

import googleapiclient.discovery
credentials = service_account.Credentials.from_service_account_file(

But the issue is that credential.token is None, so I can’t use it.

So I have a question: how could I get the access token to use in the rest request then?

Or maybe there is another but better way of doing that?

I already saw the following question: How to get access token from instance of google.oauth2.service_account.Credentials object? but I am think that it is slightly irrelevant.


The following code sets up the data structures for managing credentials (OAuth tokens) from a service account. No tokens are requested at this point.

credentials = service_account.Credentials.from_service_account_file(

Tokens are not requested from the Google auth server until required. There are several reasons: a) network calls take time – a significant amount of time for network failures; b) tokens expire; c) tokens are cached until they (almost) expire.

To generate a token, call the refresh() method:

import google.auth.transport.requests
request = google.auth.transport.requests.Request()

credential.token will now contain an OAuth Access Token else an exception will be thrown (network error, etc.).