For some functions (for now, copying files in GCS), we use Google API client library https://developers.google.com/api-client-library/python/.
For API authorization, we use the simplest way - Application Default Credentials
** See https://developers.google.com/identity/protocols/application-default-credentials to get full info about Application Default Credentials**.
In 2 words:
On App Engine API is authorized automatically.
To run API from local machine, install gcloud tool (https://cloud.google.com/sdk), open Google Cloud SDK shell and run
gcloud beta auth application-default login
Or you can download JSON file with service account keys at https://console.developers.google.com/project/_/apis/credentials and set a path to this file to environment variable GOOGLE_APPLICATION_CREDENTIALS like (Windows example):
set "GOOGLE_APPLICATION_CREDENTIALS=C:\path\to\key-file.json"