Update AIP-4115.

[theodorehu95]

Update AIP-4115 go/default-credentials-aip.

[matthewstevenson88]

Thanks for the PR Hang! I've left some comments, mostly nits. :)

[matthewstevenson88]

LGTM, with a few remaining micro-nits. Thanks for the PR Hang! :)

[TimurSadykov]

This AIP, by the title, supposed to clarify default credentials for VMs. With this edit it is mostly focused on mTLS, which might not even be supported

Added comments to the doc

[TimurSadykov]

LGTM

[andyrzhao]

This paragraph is not really a "prerequisite" but rather a description of the fallback logic in the absence of mTLS support. Furthermore, mTLS support detection mechanism is not fleshed out in the current state of things, and the ramifications extend beyond the scope of this AIP (as you stated.) I would suggest we move the contents of this paragraph into the guidance section and also frame it in the context of existing mTLS support which is enabled through ECP and SecureConnect, which is applicable even in Google Cloud VMs. For example, the PR https://github.com/googleapis/google-api-go-client/pull/1874/files gives precedent to clientCertSource as discovered by ADC. Along those lines, I would also add back the link to [Application Default Credential][2] and maybe even reference AIP-4114 in this doc. WDYT?

[theodorehu95]

Yeah. I moved the "prerequisite" to be part of the guidance and mentioned briefly that it should give priority to DCA. I am a bit hesitant to add more content related to ECP and SecureConnect, since IIUC these things are using DCA and as long as DCA takes precedence, they should be included with more details in DCA AIP if appropriate. WDYT?

[andyrzhao]

LGTM, thanks for the updates!