Join GitHub today
Improving Google authentication mechanisms #2945
google/storage uses a legacy Amazon-compatible authentication system that still works, but has some limitations and requires some hackery to get working in a non-trivial case. It looks for the parameters :google_storage_access_key_id and :google_storage_secret_access_key
google/compute embraces the newer service account model, and accepts :google_project, google_client_email, :google_key_location, :google_key_string and :google_client
Instances provisioned on Google Compute Engine can be authorized at launch time with service_account_scopes, which preauthorize the instance on various Google OAuth scopes, e.g.: https://www.googleapis.com/auth/devstorage.full_control -- once this is done, a GET query to the Google metadata server from that instance will return a valid token for the service for that instance scoped to its own project -- no other service accounts required.
I would propose:
This would allow a fog user to provision a Compute Engine node using fog and a provisioning service account, preauthorize that node to connect to Cloud Storage (and/or other Google OAuth scopes), and then have that node be able to run and interact with Cloud Storage, Datastore, etc. without needing to be issued its own unique service account.
I can work on this and it doesn't look too terribly difficult, but I haven't contributed to fog before and this is really my first time looking at its internals. Before I waste too much effort, does this all sound worthwhile, and is there anyone actively maintaining the google stuff that I can coordinate with?
Storage has been largely ignored because it has been stable. Now that the new API has been blessed, we need to rewrite the entire service to use the new auth and api. I just haven't had the time to do this.
I act as the main maintainer for the Google folder, and have pulled in a bunch of random people to contribute on the side, since this isn't any of our full time jobs. One of my coworkers was given an intern who starts soon and will be working on doing the storage upgrade, so my goal is to have all of the issues you mention fixed by the end of the summer. Because yes, the services should play nice, and right now they don't.