FR: Need a good way to inject secrets besides gcloud & GOOGLE_APPLICATION_CREDENTIALS

[lesv]

PR's #94 & #144 both want to find a way to improve ADC for non-google cloud providers.

The ADC algorithm is defined to:

1. Look at environment variable GOOGLE_APPLICATION_CREDENTIALS
2. Look for gcloud auth application-default login
3. Get a service account from the GCP Metadata server (GAE & GCP are a bit different, but it's the same idea)

We should see if there is a way to safely and securely inject a secret like a service account JSON into a container running on another cloud platform. (item 3 above).

@jonparrott said: environment variables should not be used to hold secrets.

This is a very important item for us. We are trying get to the point where docker containers can run anywhere, on GCP, on a competing cloud provider, in their own datacenter, or locally in their laptop with just a change in the configuration.

[JustinBeckwith]

I'm not sure what more is available for us here. @theacodes what other types of auth does python provide?

[theacodes]

Environment variables pointing to a file that holds the secret (instead of putting the secret in the environment variable) is the best practice. Let's close this.