feat: Use self-signed JWTs in Spanner clients

googleapis · Jun 6, 2022 · d465906 · d465906
1 parent e029508
commit d465906
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/apis/Google.Cloud.Spanner.Data/Google.Cloud.Spanner.Data/SpannerClientCreationOptions.cs b/apis/Google.Cloud.Spanner.Data/Google.Cloud.Spanner.Data/SpannerClientCreationOptions.cs
@@ -35,8 +35,7 @@ internal sealed class SpannerClientCreationOptions : IEquatable<SpannerClientCre
         private static async Task<ChannelCredentials> CreatedScopedDefaultCredentials()
         {
             var appDefaultCredentials = await GoogleCredential.GetApplicationDefaultAsync().ConfigureAwait(false);
-            // TODO: Use a JWT, so no scoping?
-            return appDefaultCredentials.CreateScoped(SpannerClient.DefaultScopes).ToChannelCredentials();
+            return ConvertGoogleCredential(appDefaultCredentials);
         }
 
         /// <summary>
@@ -174,9 +173,19 @@ internal async Task<ChannelCredentials> GetCredentialsAsync()
                 }
             }
 
-            // TODO: Use JWT instead? (No scopes.)
-            // TODO: Use an async overload
-            return GoogleCredential.FromFile(file).CreateScoped(SpannerClient.DefaultScopes).ToChannelCredentials();
+            var credential = await GoogleCredential.FromFileAsync(file, cancellationToken: default).ConfigureAwait(false);
+            return ConvertGoogleCredential(credential);
+        }
+
+        private static ChannelCredentials ConvertGoogleCredential(GoogleCredential credential)
+        {
+            credential = credential.CreateScoped(SpannerClient.DefaultScopes);
+            // Use self-signed JWTs for service accounts.
+            if (credential.UnderlyingCredential is ServiceAccountCredential serviceCredential)
+            {
+                credential = GoogleCredential.FromServiceAccountCredential(serviceCredential.WithUseJwtAccessWithScopes(true));
+            }
+            return credential.ToChannelCredentials();
         }
     }
 }