GbqConnector should be able to fetch default credentials on Google Compute Engine

doc/source/whatsnew/v0.19.0.txt

@@ -185,6 +185,8 @@ Using the anchoring suffix, you can also specify the day of month to use instead
 Other enhancements
 ^^^^^^^^^^^^^^^^^^
 
+- The ``.get_credentials()`` method of ``GbqConnector`` can now first try to fetch the default credentials for Google Compute Engine without the need to run ``OAuth2WebServerFlow`` - if private_key is not provided (:issue:`13577`)
+
 - The ``.tz_localize()`` method of ``DatetimeIndex`` and ``Timestamp`` has gained the ``errors`` keyword, so you can potentially coerce nonexistent timestamps to ``NaT``. The default behaviour remains to raising a ``NonExistentTimeError`` (:issue:`13057`)
 
 - ``Index`` now supports ``.str.extractall()`` which returns a ``DataFrame``, see :ref:`documentation here <text.extractall>` (:issue:`10008`, :issue:`13156`)

pandas/io/gbq.py

@@ -159,7 +159,44 @@ def get_credentials(self):
         if self.private_key:
             return self.get_service_account_credentials()
         else:
-            return self.get_user_account_credentials()
+            # Try to retrieve Application Default Credentials
+            credentials = self.get_application_default_credentials()
+            if not credentials:
+                credentials = self.get_user_account_credentials()
+            return credentials
+
+    def get_application_default_credentials(self):
+        """
+        This method tries to retrieve the "default application credentials"
+        Could be useful for running code on Google Cloud Platform
+        """
+        from oauth2client.client import AccessTokenRefreshError
+        try:
+            from googleapiclient.discovery import build
+            from googleapiclient.errors import HttpError
+        except:
+            from apiclient.discovery import build
+            from apiclient.errors import HttpError
+        try:
+            from oauth2client.client import GoogleCredentials
+            from oauth2client.client import ApplicationDefaultCredentialsError
+        except ImportError:
+            return None
+
+        credentials = None
+        try:
+            credentials = GoogleCredentials.get_application_default()
+        except ApplicationDefaultCredentialsError:
+            return None
+        # Check if the application has rights to the BigQuery project
+        bigquery_service = build('bigquery', 'v2', credentials=credentials)
+        jobs = bigquery_service.jobs()
+        job_data = {'configuration': {'query': {'query': 'SELECT 1'}}}
+        try:
+            jobs.insert(projectId=self.project_id, body=job_data).execute()
+        except (AccessTokenRefreshError, HttpError, TypeError):
+            return None
+        return credentials
 
     def get_user_account_credentials(self):
         from oauth2client.client import OAuth2WebServerFlow
@@ -576,10 +613,14 @@ def read_gbq(query, project_id=None, index_col=None, col_order=None,
     https://developers.google.com/api-client-library/python/apis/bigquery/v2
 
     Authentication to the Google BigQuery service is via OAuth 2.0.
-    By default user account credentials are used. You will be asked to
-    grant permissions for product name 'pandas GBQ'. It is also posible
-    to authenticate via service account credentials by using
-    private_key parameter.
+    If "private_key" is not provided:
+        By default "application default credentials" are used [new behavior]
+        If default application credentials are not found or are restrictive -
+        User account credentials are used. In this case - you will be asked to
+        grant permissions for product name 'pandas GBQ'.
+    If "private_key" is provided:
+        It is also posible to authenticate via service account credentials
+        by using this parameter.
 
     Parameters
     ----------
@@ -671,11 +712,14 @@ def to_gbq(dataframe, destination_table, project_id, chunksize=10000,
     Documentation is available at
     https://developers.google.com/api-client-library/python/apis/bigquery/v2
 
-    Authentication to the Google BigQuery service is via OAuth 2.0.
-    By default user account credentials are used. You will be asked to
-    grant permissions for product name 'pandas GBQ'. It is also posible
-    to authenticate via service account credentials by using
-    private_key parameter.
+    If "private_key" is not provided:
+        By default "application default credentials" are used [new behavior]
+        If default application credentials are not found or are restrictive -
+        User account credentials are used. In this case - you will be asked to
+        grant permissions for product name 'pandas GBQ'.
+    If "private_key" is provided:
+        It is also posible to authenticate via service account credentials
+        by using this parameter.
 
     Parameters
     ----------

pandas/io/tests/test_gbq.py

@@ -80,6 +80,7 @@ def _test_imports():
                 from apiclient.discovery import build  # noqa
                 from apiclient.errors import HttpError  # noqa
 
+            from oauth2client.client import GoogleCredentials  # noqa
             from oauth2client.client import OAuth2WebServerFlow  # noqa
             from oauth2client.client import AccessTokenRefreshError  # noqa
 
@@ -217,6 +218,12 @@ def test_should_be_able_to_get_results_from_query(self):
         schema, pages = self.sut.run_query('SELECT 1')
         self.assertTrue(pages is not None)
 
+    def test_get_application_default_credentials_should_not_throw_error(self):
+        from oauth2client.client import GoogleCredentials
+        credentials = self.sut.get_application_default_credentials()
+        valid_types = (type(None), GoogleCredentials)
+        assert isinstance(credentials, valid_types)
+
 
 class TestGBQConnectorServiceAccountKeyPathIntegration(tm.TestCase):
     def setUp(self):