diff --git a/core/src/main/java/google/registry/config/CredentialModule.java b/core/src/main/java/google/registry/config/CredentialModule.java
index 47d9b98d5..9e1f5b54a 100644
--- a/core/src/main/java/google/registry/config/CredentialModule.java
+++ b/core/src/main/java/google/registry/config/CredentialModule.java
@@ -16,7 +16,6 @@ package google.registry.config;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.collect.ImmutableList;
 import dagger.Module;
@@ -37,6 +36,36 @@ import javax.inject.Singleton;
 @Module
 public abstract class CredentialModule {
 
+  /**
+   * Provides a {@link GoogleCredentialsBundle} backed by the application default credential from
+   * the Google Cloud Runtime. This credential may be used to access GCP APIs that are NOT part of
+   * the Google Workspace.
+   *
+   * <p>The credential returned by the Cloud Runtime depends on the runtime environment:
+   *
+   * <ul>
+   *   <li>On App Engine, returns a scope-less {@code ComputeEngineCredentials} for
+   *       PROJECT_ID@appspot.gserviceaccount.com
+   *   <li>On Compute Engine, returns a scope-less {@code ComputeEngineCredentials} for
+   *       PROJECT_NUMBER-compute@developer.gserviceaccount.com
+   *   <li>On end user host, this returns the credential downloaded by gcloud. Please refer to <a
+   *       href="https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login">Cloud
+   *       SDK documentation</a> for details.
+   * </ul>
+   */
+  @ApplicationDefaultCredential
+  @Provides
+  @Singleton
+  public static GoogleCredentialsBundle provideApplicationDefaultCredential() {
+    GoogleCredentials credential;
+    try {
+      credential = GoogleCredentials.getApplicationDefault();
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+    return GoogleCredentialsBundle.create(credential);
+  }
+
   /**
    * Provides the default {@link GoogleCredentialsBundle} from the Google Cloud runtime.
    *
@@ -70,26 +99,19 @@ public abstract class CredentialModule {
   }
 
   /**
-   * Provides the default {@link GoogleCredential} from the Google Cloud runtime for G Suite
-   * Drive API.
-   * TODO(b/138195359): Deprecate this credential once we figure out how to use
-   * {@link GoogleCredentials} for G Suite Drive API.
+   * Provides a {@link GoogleCredentialsBundle} for accessing Google Workspace APIs, such as Drive
+   * and Sheets.
    */
-  @GSuiteDriveCredential
+  @GoogleWorkspaceCredential
   @Provides
   @Singleton
-  public static GoogleCredential provideGSuiteDriveCredential(
+  public static GoogleCredentialsBundle provideGSuiteDriveCredential(
+      @ApplicationDefaultCredential GoogleCredentialsBundle applicationDefaultCredential,
       @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes) {
-    GoogleCredential credential;
-    try {
-      credential = GoogleCredential.getApplicationDefault();
-    } catch (IOException e) {
-      throw new RuntimeException(e);
-    }
-    if (credential.createScopedRequired()) {
-      credential = credential.createScoped(requiredScopes);
-    }
-    return credential;
+    GoogleCredentials credential = applicationDefaultCredential.getGoogleCredentials();
+    // Although credential is scope-less, its `createScopedRequired` method still returns false.
+    credential = credential.createScoped(requiredScopes);
+    return GoogleCredentialsBundle.create(credential);
   }
 
   /**
@@ -136,18 +158,24 @@ public abstract class CredentialModule {
         .createScoped(requiredScopes));
   }
 
+  /** Dagger qualifier for the scope-less Application Default Credential. */
+  @Qualifier
+  @Documented
+  @Retention(RetentionPolicy.RUNTIME)
+  public @interface ApplicationDefaultCredential {}
+
   /** Dagger qualifier for the Application Default Credential. */
   @Qualifier
   @Documented
   @Retention(RetentionPolicy.RUNTIME)
+  @Deprecated // Switching to @ApplicationDefaultCredential
   public @interface DefaultCredential {}
 
-
-  /** Dagger qualifier for the credential for G Suite Drive API. */
+  /** Dagger qualifier for the credential for Google Workspace APIs. */
   @Qualifier
   @Documented
   @Retention(RetentionPolicy.RUNTIME)
-  public @interface GSuiteDriveCredential {}
+  public @interface GoogleWorkspaceCredential {}
 
   /**
    * Dagger qualifier for a credential from a service account's JSON key, to be used in non-request
diff --git a/core/src/main/java/google/registry/export/DriveModule.java b/core/src/main/java/google/registry/export/DriveModule.java
index f41dedf11..871a5d3e4 100644
--- a/core/src/main/java/google/registry/export/DriveModule.java
+++ b/core/src/main/java/google/registry/export/DriveModule.java
@@ -14,16 +14,16 @@
 
 package google.registry.export;
 
-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.drive.Drive;
 import dagger.Component;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule;
-import google.registry.config.CredentialModule.GSuiteDriveCredential;
+import google.registry.config.CredentialModule.GoogleWorkspaceCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.storage.drive.DriveConnection;
+import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;
 
 /** Dagger module for Google {@link Drive} service connection objects. */
@@ -32,13 +32,13 @@ public final class DriveModule {
 
   @Provides
   static Drive provideDrive(
-      @GSuiteDriveCredential GoogleCredential googleCredential,
+      @GoogleWorkspaceCredential GoogleCredentialsBundle googleCredential,
       @Config("projectId") String projectId) {
 
     return new Drive.Builder(
-            googleCredential.getTransport(),
+            googleCredential.getHttpTransport(),
             googleCredential.getJsonFactory(),
-            googleCredential)
+            googleCredential.getHttpRequestInitializer())
         .setApplicationName(projectId)
         .build();
   }
diff --git a/core/src/main/java/google/registry/export/sheet/SheetsServiceModule.java b/core/src/main/java/google/registry/export/sheet/SheetsServiceModule.java
index 33a0201bc..1c9c34f90 100644
--- a/core/src/main/java/google/registry/export/sheet/SheetsServiceModule.java
+++ b/core/src/main/java/google/registry/export/sheet/SheetsServiceModule.java
@@ -17,7 +17,7 @@ package google.registry.export.sheet;
 import com.google.api.services.sheets.v4.Sheets;
 import dagger.Module;
 import dagger.Provides;
-import google.registry.config.CredentialModule.JsonCredential;
+import google.registry.config.CredentialModule.GoogleWorkspaceCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 
@@ -27,7 +27,7 @@ public final class SheetsServiceModule {
 
   @Provides
   static Sheets provideSheets(
-      @JsonCredential GoogleCredentialsBundle credentialsBundle,
+      @GoogleWorkspaceCredential GoogleCredentialsBundle credentialsBundle,
       @Config("projectId") String projectId) {
     return new Sheets.Builder(
             credentialsBundle.getHttpTransport(),
diff --git a/core/src/main/java/google/registry/privileges/secretmanager/SecretManagerModule.java b/core/src/main/java/google/registry/privileges/secretmanager/SecretManagerModule.java
index 7d48b9e3e..34a82eb32 100644
--- a/core/src/main/java/google/registry/privileges/secretmanager/SecretManagerModule.java
+++ b/core/src/main/java/google/registry/privileges/secretmanager/SecretManagerModule.java
@@ -19,7 +19,7 @@ import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
 import com.google.cloud.secretmanager.v1.SecretManagerServiceSettings;
 import dagger.Module;
 import dagger.Provides;
-import google.registry.config.CredentialModule.DefaultCredential;
+import google.registry.config.CredentialModule.ApplicationDefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 import google.registry.util.Retrier;
@@ -33,7 +33,7 @@ public abstract class SecretManagerModule {
   @Provides
   @Singleton
   static SecretManagerServiceSettings provideSecretManagerSetting(
-      @DefaultCredential GoogleCredentialsBundle credentialsBundle) {
+      @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle) {
     try {
       return SecretManagerServiceSettings.newBuilder()
           .setCredentialsProvider(() -> credentialsBundle.getGoogleCredentials())
diff --git a/core/src/main/java/google/registry/tools/AuthModule.java b/core/src/main/java/google/registry/tools/AuthModule.java
index e6fad9822..df357714c 100644
--- a/core/src/main/java/google/registry/tools/AuthModule.java
+++ b/core/src/main/java/google/registry/tools/AuthModule.java
@@ -35,6 +35,7 @@ import dagger.Binds;
 import dagger.Lazy;
 import dagger.Module;
 import dagger.Provides;
+import google.registry.config.CredentialModule.ApplicationDefaultCredential;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.CredentialModule.LocalCredentialJson;
@@ -228,6 +229,11 @@ public class AuthModule {
     @DefaultCredential
     abstract GoogleCredentialsBundle provideLocalCredentialAsDefaultCredential(
         @LocalCredential GoogleCredentialsBundle credential);
+
+    @Binds
+    @ApplicationDefaultCredential
+    abstract GoogleCredentialsBundle provideLocalCredentialAsApplicationDefaultCredential(
+        @LocalCredential GoogleCredentialsBundle credential);
   }
 
   /** Raised when we need a user login. */