diff --git a/docs/content/storage-drivers/gcs.md b/docs/content/storage-drivers/gcs.md
index f970b73e8..a2131d016 100644
--- a/docs/content/storage-drivers/gcs.md
+++ b/docs/content/storage-drivers/gcs.md
@@ -17,4 +17,8 @@ An implementation of the `storagedriver.StorageDriver` interface which uses Goog
 
 {{< hint type=note >}}
 Instead of a key file you can use [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials).
+
+To use redirects with default credentials assigned to a virtual machine you have to enable "IAM Service Account Credentials API" and grant `iam.serviceAccounts.signBlob` permission on the used service account.
+
+To use redirects with default credentials from Google Cloud CLI, in addition to the permissions mentioned above, you have to [impersonate the service account intended to be used by the registry](https://cloud.google.com/sdk/gcloud/reference#--impersonate-service-account).
 {{< /hint >}}
diff --git a/registry/storage/driver/gcs/gcs.go b/registry/storage/driver/gcs/gcs.go
index d2cdb5967..9676f7a09 100644
--- a/registry/storage/driver/gcs/gcs.go
+++ b/registry/storage/driver/gcs/gcs.go
@@ -785,10 +785,6 @@ func (d *driver) Delete(ctx context.Context, path string) error {
 // RedirectURL returns a URL which may be used to retrieve the content stored at
 // the given path, possibly using the given options.
 func (d *driver) RedirectURL(r *http.Request, path string) (string, error) {
-	if d.privateKey == nil {
-		return "", nil
-	}
-
 	if r.Method != http.MethodGet && r.Method != http.MethodHead {
 		return "", nil
 	}