Add Application Default Credentials & Service Account impersonation

Triple-T / gradle-play-publisher

GPP is Android's unofficial release automation Gradle Plugin. It can do anything from building, uploading, and then promoting your App Bundle or APK to publishing app listings and other metadata.

MIT License

4.13k stars 341 forks source link

Add Application Default Credentials & Service Account impersonation #1148

Closed a-mackay closed 1 week ago

a-mackay commented 2 weeks ago

Context

Usage of Service Account keys is generally discouraged, with service account impersonation being a recommended alternative.

Changes

Allow Application Default Credentials to be used, and support Service Account impersonation with it. This could be used as an alternative to the existing Service Account key authentication. Since it is an alternative method, it should not affect backwards compatibility.

One point of discussion is the default values used to build ImpersonatedCredentials in AndroidPublisher.kt. We think these are suitable defaults - hardcoded values for the token lifetime was taken from GCP documentation and seems adequate given that tokens are autogenerated/refreshed by the underlying SDK as HTTP requests are constructed.

SUPERCILEX commented 2 weeks ago

Did you test this locally?

a-mackay commented 2 weeks ago

Yep, we built the plugin locally, and published our Android app successfully. It used my personal Google account set up via the gcloud CLI, and impersonated our publisher Service Account.

pauldthomson commented 2 weeks ago

Just to add, we contemplated some more tests around this but the only "logic" added resulted in a different instantiation of a GoogleCredentials, so it meant several levels of mocking to assert on a type and the logic is fairly simple so it didn't seem like the cost of the test added much value. The actual logic of using ADC and impersonation lives in the Google SDK anyway..

SUPERCILEX commented 2 weeks ago

Good enough for me, thanks! I'll try to review this before the end of the weekend.

SUPERCILEX commented 2 weeks ago

Can you give me edit access to the PR? I'd like to tweak some stuff

pauldthomson commented 2 weeks ago

@SUPERCILEX all done

SUPERCILEX commented 2 weeks ago

Thx. Can you give me PR access? https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork I'd like to clean up some nits

pauldthomson commented 2 weeks ago

Don't think we can as this is forked into a non-personal repo... The link above seems to allude to it being in personal repos and I don't see the option on this PR either.. Might have to just suggest the clean ups and have us do them?

SUPERCILEX commented 2 weeks ago

Ah, sounds good.

pauldthomson commented 2 weeks ago

I'll do another pass tomorrow, but this what I was going to tweak for now.

Fixed those ones, let us know if there's anything else :)