diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 5010a9ae6..44b77b57a 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -45,6 +45,7 @@
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
 import com.google.api.client.util.Preconditions;
+import com.google.auth.http.HttpCredentialsAdapter;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.base.MoreObjects;
 import java.io.ByteArrayInputStream;
@@ -52,16 +53,21 @@
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.net.URI;
-import java.util.Date;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
+import java.util.*;
+import java.util.logging.Logger;
+import com.google.api.client.http.javanet.NetHttpTransport;
+
 
 /** OAuth2 Credentials representing a user's identity and consent. */
-public class UserCredentials extends GoogleCredentials implements QuotaProjectIdProvider {
+public class UserCredentials extends GoogleCredentials implements QuotaProjectIdProvider, IdTokenProvider {
+
+  private static final Logger LOGGER = Logger.getLogger(HttpCredentialsAdapter.class.getName());
 
   private static final String GRANT_TYPE = "refresh_token";
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
+  private static final String RESOURCE_MANAGER_API = "https://cloudresourcemanager.googleapis.com/v1/";
+  private static final String SERVICE_ACCOUNT_APPLICATION_CREDENTIALS = "SERVICE_ACCOUNT_APPLICATION_CREDENTIALS";
+  private static final String DEFAULT_COMPUTE_ENGINE_SERVICE_ACCOUNT_SUFFIX = "-compute@developer.gserviceaccount.com";
   private static final long serialVersionUID = -4800758775038679176L;
 
   private final String clientId;
@@ -70,9 +76,19 @@ public class UserCredentials extends GoogleCredentials implements QuotaProjectId
   private final URI tokenServerUri;
   private final String transportFactoryClassName;
   private final String quotaProjectId;
+  private String serviceAccountCredentialEmail;
 
   private transient HttpTransportFactory transportFactory;
 
+  //For test purpose
+  UserCredentials(){
+    clientId = null;
+    clientSecret = null;
+    refreshToken = null;
+    tokenServerUri = null;
+    transportFactoryClassName = null;
+    quotaProjectId = null;
+  }
   /**
    * Constructor with all parameters allowing custom transport and server URL.
    *
@@ -340,6 +356,81 @@ public String getQuotaProjectId() {
     return quotaProjectId;
   }
 
+  /**
+   * Returns a Google ID Token from the Service Account Credentials API.
+   * Compute Engine default service account of the quotas project is used
+   * except if the environment variable 'SERVICE_ACCOUNT_APPLICATION_CREDENTIALS'
+   * is set. The user account must have the 'Service Account Token Creator' on the
+   * service account to be allowed to generate an id_token
+   *
+   * @param targetAudience the aud: field the IdToken should include.
+   * @param options list of Credential specific options for for the token. Currently unused for
+   *     UserCredentials.
+   * @throws IOException if the attempt to get an IdToken failed
+   * @return IdToken object which includes the raw id_token, expiration and audience
+   */
+  @Override
+  public IdToken idTokenWithAudience(String targetAudience, List<Option> options) throws IOException {
+
+    if (targetAudience == null || targetAudience.equals("")) {
+      throw new IOException("TargetAudience can't be null or empty");
+    }
+
+    HttpRequestFactory requestFactory = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(this));
+
+    //First time, check if the instance attribute has been initialized or not
+    if (serviceAccountCredentialEmail == null){
+      serviceAccountCredentialEmail = getServiceAccountEmail(requestFactory);
+    }
+
+    return IamUtils.getIdToken(serviceAccountCredentialEmail,this, requestFactory.getTransport(),
+            targetAudience, true, Collections.EMPTY_MAP);
+  }
+
+  protected String getServiceAccountEmail(HttpRequestFactory requestFactory) throws IOException {
+    LOGGER.warning("ID Token generation with audience and based on user credential is not possible. \n" +
+            "A service account must be used. You can define it in the environment variable\n" +
+            SERVICE_ACCOUNT_APPLICATION_CREDENTIALS + "\nIf not set, default Compute Engine default " +
+            "service account will be used\nYou need to have the role 'Service Account Token Creator' " +
+            "on the service account.");
+
+    // Get the service account in the Environment Variables
+    String saEmail = getEnv(SERVICE_ACCOUNT_APPLICATION_CREDENTIALS);
+
+    // If missing, use the compute engine default service account by default
+    if (saEmail == null || saEmail.equals("")){
+      // If quotaProjectId is null, you can't determine the current project
+      if (quotaProjectId == null){
+        throw new IOException(
+                "QuotaProjectId can't be null to determine the default service account to use\n" +
+                        "Use 'gcloud auth application-default set-quota-project' to set it");
+      }
+
+      // Inform the user that no defined service account is found. Use the Compute Engine Default service account
+      saEmail = getComputeEngineDefaultServiceAccountEmail(getQuotaProjectId(),requestFactory);
+    }
+    LOGGER.info("The service account with email '" + saEmail + "' is used");
+    return saEmail;
+  }
+
+  //For test purpose
+  String getEnv(String key){
+    return System.getenv(key);
+  }
+
+
+  protected String getComputeEngineDefaultServiceAccountEmail(String projectId, HttpRequestFactory requestFactory)
+            throws IOException {
+    String url = RESOURCE_MANAGER_API + "projects/" + projectId;
+
+    HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(url));
+    request.setParser(new JsonObjectParser(JSON_FACTORY));
+    HttpResponse httpResponse = request.execute();
+    GenericData responseData = httpResponse.parseAs(GenericData.class);
+
+    return responseData.get("projectNumber").toString() + DEFAULT_COMPUTE_ENGINE_SERVICE_ACCOUNT_SUFFIX;
+  }
+
   public static class Builder extends GoogleCredentials.Builder {
 
     private String clientId;
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index 92e8ebe73..66be2d341 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -38,10 +38,17 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.LowLevelHttpRequest;
+import com.google.api.client.http.LowLevelHttpResponse;
 import com.google.api.client.json.GenericJson;
+import com.google.api.client.testing.http.MockHttpTransport;
+import com.google.api.client.testing.http.MockLowLevelHttpRequest;
+import com.google.api.client.testing.http.MockLowLevelHttpResponse;
 import com.google.api.client.util.Clock;
 import com.google.auth.TestUtils;
 import com.google.auth.http.AuthHttpConstants;
+import com.google.auth.http.HttpTransportFactory;
 import com.google.auth.oauth2.GoogleCredentialsTest.MockHttpTransportFactory;
 import com.google.auth.oauth2.GoogleCredentialsTest.MockTokenServerTransportFactory;
 import com.google.common.collect.ImmutableList;
@@ -52,10 +59,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
+
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
@@ -69,6 +74,7 @@ public class UserCredentialsTest extends BaseSerializationTest {
   private static final String REFRESH_TOKEN = "1/Tl6awhpFjkMkSJoj1xsli0H2eL5YsMgU_NKPY2TyGWY";
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
+  private static final String SERVICE_ACCOUNT_EMAIL = "my-service-account@my-project.iam.gserviceaccount.com";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
 
@@ -80,12 +86,12 @@ public void constructor_accessAndRefreshTokenNull_throws() {
   @Test
   public void constructor() {
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     assertEquals(CLIENT_ID, credentials.getClientId());
     assertEquals(CLIENT_SECRET, credentials.getClientSecret());
     assertEquals(REFRESH_TOKEN, credentials.getRefreshToken());
@@ -95,22 +101,22 @@ public void constructor() {
   @Test
   public void createScoped_same() {
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
     assertSame(userCredentials, userCredentials.createScoped(SCOPES));
   }
 
   @Test
   public void createScopedRequired_false() {
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
     assertFalse(userCredentials.createScopedRequired());
   }
 
@@ -139,8 +145,8 @@ public void fromJson_hasQuotaProjectId() throws IOException {
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
     assertTrue(metadata.containsKey(GoogleCredentials.QUOTA_PROJECT_ID_HEADER_KEY));
     assertEquals(
-        metadata.get(GoogleCredentials.QUOTA_PROJECT_ID_HEADER_KEY),
-        Collections.singletonList(QUOTA_PROJECT));
+            metadata.get(GoogleCredentials.QUOTA_PROJECT_ID_HEADER_KEY),
+            Collections.singletonList(QUOTA_PROJECT));
   }
 
   @Test
@@ -149,12 +155,12 @@ public void getRequestMetadata_initialToken_hasAccessToken() throws IOException
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .build();
 
     Map<String, List<String>> metadata = userCredentials.getRequestMetadata(CALL_URI);
 
@@ -167,12 +173,12 @@ public void getRequestMetadata_initialTokenRefreshed_throws() throws IOException
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .build();
 
     try {
       userCredentials.refresh();
@@ -188,12 +194,12 @@ public void getRequestMetadata_fromRefreshToken_hasAccessToken() throws IOExcept
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setHttpTransportFactory(transportFactory)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setHttpTransportFactory(transportFactory)
+                    .build();
 
     Map<String, List<String>> metadata = userCredentials.getRequestMetadata(CALL_URI);
 
@@ -208,13 +214,13 @@ public void getRequestMetadata_customTokenServer_hasAccessToken() throws IOExcep
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
     transportFactory.transport.setTokenServerUri(TOKEN_SERVER);
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(TOKEN_SERVER)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(TOKEN_SERVER)
+                    .build();
 
     Map<String, List<String>> metadata = userCredentials.getRequestMetadata(CALL_URI);
 
@@ -227,25 +233,25 @@ public void equals_true() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     assertTrue(credentials.equals(otherCredentials));
     assertTrue(otherCredentials.equals(credentials));
   }
@@ -256,23 +262,23 @@ public void equals_false_clientId() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId("other client id")
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId("other client id")
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -283,23 +289,23 @@ public void equals_false_clientSecret() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret("other client secret")
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret("other client secret")
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -310,23 +316,23 @@ public void equals_false_refreshToken() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     OAuth2Credentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     OAuth2Credentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken("otherRefreshToken")
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken("otherRefreshToken")
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -338,23 +344,23 @@ public void equals_false_accessToken() throws IOException {
     AccessToken otherAccessToken = new AccessToken("otherAccessToken", null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(otherAccessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(otherAccessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -366,23 +372,23 @@ public void equals_false_transportFactory() throws IOException {
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     MockTokenServerTransportFactory serverTransportFactory = new MockTokenServerTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(serverTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(serverTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -394,23 +400,23 @@ public void equals_false_tokenServer() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer2)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer2)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -422,23 +428,23 @@ public void equals_false_quotaProjectId() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setQuotaProjectId(quotaProject1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setQuotaProjectId(quotaProject1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setQuotaProjectId(quotaProject2)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setQuotaProjectId(quotaProject2)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -449,29 +455,29 @@ public void toString_containsFields() throws IOException {
     final URI tokenServer = URI.create("https://foo.com/bar");
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
 
     String expectedToString =
-        String.format(
-            "UserCredentials{requestMetadata=%s, temporaryAccess=%s, clientId=%s, refreshToken=%s, "
-                + "tokenServerUri=%s, transportFactoryClassName=%s, quotaProjectId=%s}",
-            ImmutableMap.of(
-                AuthHttpConstants.AUTHORIZATION,
-                ImmutableList.of(OAuth2Utils.BEARER_PREFIX + accessToken.getTokenValue())),
-            accessToken.toString(),
-            CLIENT_ID,
-            REFRESH_TOKEN,
-            tokenServer,
-            MockTokenServerTransportFactory.class.getName(),
-            QUOTA_PROJECT);
+            String.format(
+                    "UserCredentials{requestMetadata=%s, temporaryAccess=%s, clientId=%s, refreshToken=%s, "
+                            + "tokenServerUri=%s, transportFactoryClassName=%s, quotaProjectId=%s}",
+                    ImmutableMap.of(
+                            AuthHttpConstants.AUTHORIZATION,
+                            ImmutableList.of(OAuth2Utils.BEARER_PREFIX + accessToken.getTokenValue())),
+                    accessToken.toString(),
+                    CLIENT_ID,
+                    REFRESH_TOKEN,
+                    tokenServer,
+                    MockTokenServerTransportFactory.class.getName(),
+                    QUOTA_PROJECT);
     assertEquals(expectedToString, credentials.toString());
   }
 
@@ -481,25 +487,25 @@ public void hashCode_equals() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     assertEquals(credentials.hashCode(), otherCredentials.hashCode());
   }
 
@@ -509,14 +515,14 @@ public void serialize() throws IOException, ClassNotFoundException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .build();
     UserCredentials deserializedCredentials = serializeAndDeserialize(credentials);
     assertEquals(credentials, deserializedCredentials);
     assertEquals(credentials.hashCode(), deserializedCredentials.hashCode());
@@ -526,7 +532,7 @@ public void serialize() throws IOException, ClassNotFoundException {
 
   @Test
   public void fromStream_nullTransport_throws() throws IOException {
-    InputStream stream = new ByteArrayInputStream("foo".getBytes());
+    InputStream stream = new ByteArrayInputStream("foo" .getBytes());
     try {
       UserCredentials.fromStream(stream, null);
       fail("Should throw if HttpTransportFactory is null");
@@ -552,7 +558,7 @@ public void fromStream_user_providesToken() throws IOException {
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
     InputStream userStream =
-        writeUserStream(CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
+            writeUserStream(CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
 
     UserCredentials credentials = UserCredentials.fromStream(userStream, transportFactory);
 
@@ -585,11 +591,11 @@ public void fromStream_userNoRefreshToken_throws() throws IOException {
   @Test
   public void saveUserCredentials_saved_throws() throws IOException {
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
     File file = File.createTempFile("GOOGLE_APPLICATION_CREDENTIALS", null, null);
     file.deleteOnExit();
 
@@ -600,11 +606,11 @@ public void saveUserCredentials_saved_throws() throws IOException {
   @Test
   public void saveAndRestoreUserCredential_saveAndRestored_throws() throws IOException {
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
 
     File file = File.createTempFile("GOOGLE_APPLICATION_CREDENTIALS", null, null);
     file.deleteOnExit();
@@ -622,8 +628,107 @@ public void saveAndRestoreUserCredential_saveAndRestored_throws() throws IOExcep
     assertEquals(userCredentials.getRefreshToken(), restoredCredentials.getRefreshToken());
   }
 
+  @Test
+  public void getComputeEngineDefaultServiceAccountEmail_correct() throws IOException {
+    HttpTransportFactory transportFactory =
+            new HttpTransportFactory() {
+              @Override
+              public HttpTransport create() {
+                return new MockHttpTransport() {
+                  @Override
+                  public LowLevelHttpRequest buildRequest(String method, String url)
+                          throws IOException {
+                    return new MockLowLevelHttpRequest() {
+                      @Override
+                      public LowLevelHttpResponse execute() throws IOException {
+                        MockLowLevelHttpResponse response = new MockLowLevelHttpResponse();
+                        response.setStatusCode(200);
+                        response.setContentType("application/json");
+                        response.setContent("{\"projectNumber\":\"4226\"}");
+                        return response;
+                      }
+                    };
+                  }
+                };
+              }
+            };
+
+    UserCredentials userCredentials =
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
+    String saEmail = userCredentials.getComputeEngineDefaultServiceAccountEmail(QUOTA_PROJECT, transportFactory.create().createRequestFactory());
+    assertEquals("4226-compute@developer.gserviceaccount.com", saEmail);
+  }
+
+  @Test
+  public void getServiceAccountEmail_throws() throws IOException {
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    UserCredentials userCredentials =
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
+    try {
+      userCredentials.getServiceAccountEmail(transportFactory.create().createRequestFactory());
+      fail("Should throw if quota project is null");
+    } catch (IOException expected) {
+      // Expected
+    }
+  }
+
+  @Test
+  public void getServiceAccountEmail_correct() throws IOException {
+    HttpTransportFactory transportFactory =
+            new HttpTransportFactory() {
+              @Override
+              public HttpTransport create() {
+                return new MockHttpTransport() {
+                  @Override
+                  public LowLevelHttpRequest buildRequest(String method, String url)
+                          throws IOException {
+                    return new MockLowLevelHttpRequest() {
+                      @Override
+                      public LowLevelHttpResponse execute() throws IOException {
+                        MockLowLevelHttpResponse response = new MockLowLevelHttpResponse();
+                        response.setStatusCode(200);
+                        response.setContentType("application/json");
+                        response.setContent("{\"projectNumber\":\"4226\"}");
+                        return response;
+                      }
+                    };
+                  }
+                };
+              }
+            };
+
+    UserCredentials userCredentials =
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
+    String saEmail = userCredentials.getServiceAccountEmail(transportFactory.create().createRequestFactory());
+    assertEquals("4226-compute@developer.gserviceaccount.com", saEmail);
+  }
+
+  @Test
+  public void getServiceAccountEmail_envVar_correct() throws IOException {
+    TestUserCredentials userCredentials = new TestUserCredentials();
+
+    userCredentials.getVariables().put("SERVICE_ACCOUNT_APPLICATION_CREDENTIALS", SERVICE_ACCOUNT_EMAIL);
+
+    String saEmail = userCredentials.getServiceAccountEmail(null);
+    assertEquals(SERVICE_ACCOUNT_EMAIL, saEmail);
+  }
+
+
   static GenericJson writeUserJson(
-      String clientId, String clientSecret, String refreshToken, String quotaProjectId) {
+          String clientId, String clientSecret, String refreshToken, String quotaProjectId) {
     GenericJson json = new GenericJson();
     if (clientId != null) {
       json.put("client_id", clientId);
@@ -642,8 +747,8 @@ static GenericJson writeUserJson(
   }
 
   static InputStream writeUserStream(
-      String clientId, String clientSecret, String refreshToken, String quotaProjectId)
-      throws IOException {
+          String clientId, String clientSecret, String refreshToken, String quotaProjectId)
+          throws IOException {
     GenericJson json = writeUserJson(clientId, clientSecret, refreshToken, quotaProjectId);
     return TestUtils.jsonToInputStream(json);
   }
@@ -652,10 +757,27 @@ private static void testFromStreamException(InputStream stream, String expectedM
     try {
       UserCredentials.fromStream(stream);
       fail(
-          String.format(
-              "Should throw exception with message containing '%s'", expectedMessageContent));
+              String.format(
+                      "Should throw exception with message containing '%s'", expectedMessageContent));
     } catch (IOException expected) {
       assertTrue(expected.getMessage().contains(expectedMessageContent));
     }
   }
-}
+
+  private static class TestUserCredentials extends UserCredentials {
+
+    private final Map<String, String> variables = new HashMap<>();
+
+    public TestUserCredentials() {
+    }
+
+    public Map<String, String> getVariables() {
+      return variables;
+    }
+
+    String getEnv(String key) {
+      return variables.get(key);
+    }
+
+  }
+}
\ No newline at end of file