Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Treat GOOGLE_APPLICATION_CREDENTIALS env the same as credential file flag #229

Merged
merged 2 commits into from
Dec 13, 2018
Merged

Treat GOOGLE_APPLICATION_CREDENTIALS env the same as credential file flag #229

merged 2 commits into from
Dec 13, 2018

Conversation

hfwang
Copy link
Contributor

@hfwang hfwang commented Nov 30, 2018
edited

This changes it so the relative priority of token sources is:

  1. credential_file flag

  2. token flag

  3. Service account key at path stored in GOOGLE_APPLICATION_CREDENTIALS

  4. gcloud user credentials (set from gcloud auth login)

  5. Default Application Credentials via goauth (FindDefaultCredentials):

    1. GOOGLE_APPLICATION_CREDENTIALS (again)
    2. gcloud application default credentials (set from gcloud auth application-default login)
    3. appengine.AccessToken (for App Engine Go < =1.9)
    4. GCE/GAE metadata credentials

The previous change had inserted gcloud auth before FindDefaultCredentials, which resulted in gcloud auth overriding GOOGLE_APPLICATION_CREDENTIALS. After this change, GOOGLE_APPLICATION_CREDENTIALS still overrides the --token, however documentation states that the environment variable and the flag are interchangeable and that seems to be the order people are expecting.

@hfwang
Treat GOOGLE_APPLICATION_CREDENTIALS env the same as credential file
8f19527 
This changes it so the relative priority of token sources is:

--credential_file flag
GOOGLE_APPLICATION_CREDENTIALS environment variable
--token flag
gcloud auth
FindDefaultCredentials (see https://github.com/golang/oauth2/blob/28207608b83849a028d4f12e46533a6b6894ecaf/google/default.go#L61-L76)

The previous change had inserted gcloud auth before FindDefaultCredentials, which resulted in gcloud auth overriding GOOGLE_APPLICATION_CREDENTIALS. After this change, GOOGLE_APPLICATION_CREDENTIALS still overrides the --token, however documentation states that the environment variable and the flag are interchangeable and that seems to be the order people are expecting.
@hfwang hfwang mentioned this pull request Nov 30, 2018
Closed
@kurtisvg kurtisvg mentioned this pull request Nov 30, 2018
Merged
@hfwang
Change auth precedence order to be:
9cfbd28 
--token_file > --token > ENV[GOOGLE_APPLICATION_CREDENTIALS] > gcloud > default auth
@hfwang hfwang requested a review from kurtisvg December 4, 2018 05:48
@hfwang
Copy link
Contributor Author

hfwang commented Dec 4, 2018

Tweaked the order around to use flags before env

@kurtisvg kurtisvg added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. Status: In Progress type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Dec 4, 2018
@kurtisvg
Copy link
Contributor

kurtisvg commented Dec 4, 2018
edited

Just for clarification, this PR changes the authentication order to the following:

  1. credential_file flag
  2. token flag
  3. Service account key at path stored in GOOGLE_APPLICATION_CREDENTIALS
  4. gcloud user credentials (set from gcloud auth login)
  5. Default Application Credentials via goauth:
    1. GOOGLE_APPLICATION_CREDENTIALS (again)
    2. gcloud application default credentials (set from gcloud auth application-default login)
    3. appengine.AccessToken (for App Engine Go < =1.9)
    4. GCE/GAE metadata credentials

We should probably update the README with this list as well.

@hfwang hfwang merged commit 16b1ae5 into GoogleCloudPlatform:master Dec 13, 2018
@hfwang hfwang deleted the env-credentials branch December 13, 2018 18:41
@hfwang hfwang mentioned this pull request Jan 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kurtisvg kurtisvg kurtisvg approved these changes

Assignees
No one assigned
Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hfwang @kurtisvg