Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Soft-warn about application default credentials using gcloud credentials #198

Closed
JustinBeckwith opened this issue Jun 28, 2018 · 4 comments
Closed

Soft-warn about application default credentials using gcloud credentials #198

JustinBeckwith opened this issue Jun 28, 2018 · 4 comments
Assignees
@tmatsuo
Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@JustinBeckwith
Copy link
Contributor

Due to user issues with quota and API enablement, the auth libraries should issue a soft warning (that can be silenced) when application default credentials uses user credentials from the Cloud SDK. They should not warn if the credentials for the cloud sdk are service account credentials.

Your application has authenticated using end user credentials from Google 
Cloud SDK. We recommend that most server applications use service accounts
 instead. If your application continues to use end user credentials from Cloud 
SDK, you might receive a "quota exceeded" or "API not enabled" error. For 
more information about service accounts, see 
https://cloud.google.com/docs/authentication/.

Additional context:
https://groups.google.com/a/google.com/forum/#!topic/client-auth-team/DKqrFw6lL1Q
https://buganizer.corp.google.com/issues/64388723
googleapis/google-auth-library-python#266
@tmatsuo tmatsuo self-assigned this Jun 28, 2018
@tmatsuo
Copy link
Contributor

tmatsuo commented Jun 28, 2018

I feel like the best place to fix this issue is to change how gcloud auth application-default works.
If gcloud creates a service account and store the key securely (which is technically possible at all), the issue will just go away.

In other words, simple comparison between 8 engineers working on 8 auth libs and aforementioned central fix. WDYT?

@JustinBeckwith JustinBeckwith added the priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. label Jun 28, 2018
@JustinBeckwith
Copy link
Contributor Author

@theacodes has much of the context on the why here :) . Same in the thread.

@theacodes
Copy link
Contributor

@tmatsuo while that might be viable, neither us or the cloud SDK team want to continue intertwining Cloud SDK configuration with API Client Library configuration.

Happy to chat more about this internally, but this is the decision that's been made with very careful consideration.

@tmatsuo tmatsuo added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Jun 28, 2018
@JustinBeckwith JustinBeckwith added 🚨 This issue needs some love. and removed 🚨 This issue needs some love. labels Jul 3, 2018
@JustinBeckwith JustinBeckwith added 🚨 This issue needs some love. and removed 🚨 This issue needs some love. labels Jul 13, 2018
@JustinBeckwith
Copy link
Contributor Author

gentle bump

@tmatsuo tmatsuo mentioned this issue Jul 18, 2018
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tmatsuo tmatsuo

Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tmatsuo @theacodes @JustinBeckwith