openclaw - 💡(How to fix) Fix [Bug]: `gateway install --force` drops `GOOGLE_APPLICATION_CREDENTIALS` from generated `gateway.systemd.env`

Bug type

Behavior bug (silent data loss during install)

Summary

openclaw gateway install --force regenerates ~/.openclaw/gateway.systemd.env by copying values from ~/.openclaw/.env, but only copies variables whose names are in the install-time managed-keys allowlist. Standard third-party env vars required by OpenClaw's own bundled providers — notably GOOGLE_APPLICATION_CREDENTIALS, required by the google-vertex provider for ADC auth — are silently dropped.

The resulting symptom is No API key found for provider "google-vertex" at runtime, which does not point at the cause.

Environment

• OpenClaw: 2026.5.6 (npm global install)
• OS: Ubuntu (systemd --user service)
• Gateway managed by ~/.config/systemd/user/openclaw-gateway.service
• EnvironmentFile=-/home/<user>/.openclaw/gateway.systemd.env (generated by install)

Steps to reproduce

1. Configure Vertex AI per docs: SA JSON key on disk, project + location set.

2. Add to ~/.openclaw/.env:

   GOOGLE_APPLICATION_CREDENTIALS=/home/<user>/.openclaw/credentials/vertex-sa.json
   GOOGLE_CLOUD_PROJECT=<project-id>
   GOOGLE_CLOUD_LOCATION=global

3. Run openclaw gateway install --force.

4. Run systemctl --user restart openclaw-gateway.service.

5. Inspect the running gateway's environment:

   GATEWAY_PID=$(systemctl --user show -p MainPID --value openclaw-gateway.service)
   sudo cat /proc/$GATEWAY_PID/environ | tr '\0' '\n' | grep GOOGLE_

Expected behaviour

All three GCP env vars present in process env. Vertex auth works.

Actual behaviour

GOOGLE_CLOUD_PROJECT and GOOGLE_CLOUD_LOCATION present (they are in OPENCLAW_SERVICE_MANAGED_ENV_KEYS).

GOOGLE_APPLICATION_CREDENTIALS absent (not in the managed-keys list, dropped during install's .env → gateway.systemd.env copy).

The generated unit declares:

OPENCLAW_SERVICE_MANAGED_ENV_KEYS=BRAVE_API_KEY,GEMINI_API_KEY,GOOGLE_CLOUD_LOCATION,GOOGLE_CLOUD_PROJECT,GOPLACES_API_KEY,NOTION_API_KEY,OPENCLAW_GATEWAY_TOKEN,OPENROUTER_API_KEY

Note GOOGLE_APPLICATION_CREDENTIALS is missing despite being the canonical Google Cloud SDK variable required by the bundled google-vertex provider.

Subsequent agent calls to google-vertex/* models fail with:

No API key found for provider "google-vertex". Auth store: ~/.openclaw/agents/main/agent/auth-profiles.json

Workaround

Manually append to ~/.openclaw/gateway.systemd.env after each install --force:

GOOGLE_APPLICATION_CREDENTIALS=/home/<user>/.openclaw/credentials/vertex-sa.json

Then restart. Will be lost on next install --force run.

Note: this workaround puts the variable in process env (verified via /proc/$PID/environ), but does not by itself make google-vertex work — there is a separate, open auth-resolver bug (#56253, #11413) that prevents google-vertex from authenticating via ADC even when GOOGLE_APPLICATION_CREDENTIALS is correctly set. This issue is specifically about the install-time silent drop; the resolver bug is filed separately.

Suggested fix

Add GOOGLE_APPLICATION_CREDENTIALS to the managed-keys allowlist used by gateway install. More broadly, the install command should either:

• Copy all keys from ~/.openclaw/.env to gateway.systemd.env (simplest, follows least-surprise), or
• Document the allowlist explicitly and warn when keys present in .env are being dropped during install.

The current behaviour silently breaks first-class bundled providers (google-vertex) when configured per the documented setup path.

Related issues

• #11413 — google-vertex "No API key found" on Windows (different cause, same symptom)
• #57104 — gateway install --force keeps stale managed env vars (opposite direction, same lifecycle area)
• #66248 — openclaw update strips user-added EnvironmentFile/Environment directives