Support short-lived token authentication for Stackdriver

[donkey-roll]

Is this a BUG REPORT or a FEATURE REQUEST?

This is a FEATURE REQUEST.

Problem Description

Currently, the Stackdriver exporter is tightly coupled with the Google Compute Engine (GCE) environment. It fetches required metadata, such as project-id and instance-id, directly from the GCE metadata server. For authentication, it relies on Application Default Credentials (ADC), which are typically discovered automatically from the environment (e.g., an attached service account on a GCE VM).

This implementation prevents the Stackdriver exporter from functioning in non-GCE environments, such as on-premises deployments or other cloud platforms, where the GCE metadata server and default service accounts are not available.

Proposed Solution

To enable the Stackdriver exporter to run in a wider range of environments, this issue proposes adding support for authentication using short-lived OAuth2 tokens.

This would allow users to provide credentials explicitly, decoupling the exporter from the underlying infrastructure and enabling it to authenticate with the Google Cloud Monitoring API from any environment.

Additional Context

I see there is an ongoing effort to migrate the Stackdriver exporter to OpenTelemetry in issue #1008. I believe this feature would be a valuable addition to the new OpenTelemetry-based implementation as well, ensuring it is flexible and supports various deployment scenarios from the start.

I would love to contribute to this issue.

cc @daveoy @dashpole @wangzhen127

[SergeyKanzhelev]

it will be great to design the proper auth support to be generic enough after we migrate to #1141

We can use OTel format for export universally, the question is how to design auth portion so it works more universally

[dashpole]

This has come up a few times (e.g. open-telemetry/opentelemetry-specification#4500). There isn't a pluggable interface for Go for auth.

To use google credentials with the otlpgrpc exporter, see https://github.com/GoogleCloudPlatform/opentelemetry-operations-go/blob/7130d1aded77c51f613a9d949f166d119cd595e9/example/trace/otlpgrpc/example.go#L48.

For gRPC, it looks like anything that implements PerRPCCredentials can be used with the OTLP exporter. You could use things in https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension, like the googleclientauth, basicauth, bearertokenauth, etc extensions as possible options without having to reimplement them yourselves.

[donkey-roll]

Hi @dashpole I am trying to add a periodically refreshing logic in this exporter and pass a token source to the monitoringClientOptions, do you know whether it will work for the new implementation in @daveoy 's PR? c82b1cf

https://github.com/kubernetes/node-problem-detector/blob/master/pkg/exporters/stackdriver/stackdriver_exporter.go#L132C3-L132C26

monitoringClientOptions = append(monitoringClientOptions, option.WithTokenSource(tokenSource))

[dashpole]

ah, sorry I misread the issue. Application default credentials supports more than just GCP environments. I would not recommend deviating from that method of obtaining credentials to authenticate with GCP services. See https://cloud.google.com/iam/docs/workload-identity-federation has some examples of other identity providers.