Support OAuth 2.0 access tokens for Google Cloud (gcloud) DNS Challenge

[davidalger]

Welcome

• [X] Yes, I've searched similar issues on GitHub and didn't find any.

How do you use lego?

I'm using Lego via the ACME provider in Terraform: https://registry.terraform.io/providers/vancluever/acme/latest/docs

Detailed Description

In our CI environments, Terraform is run with a service account which then impersonates another service account to gain privileges needed to operate. I.e. application default credentials (ADC) will not have required roles to create/delete the TXT entries on the DNS zone, and we would prefer not to use long-lived JSON credentials.

The Terraform provider for Google Cloud supports generating OAuth tokens for the user/service account a provider is using, and also creating OAuth tokens for a given service account.

Given that the use of service account JSON credentials is discouraged in favor of short lived credentials, it stands to reason that the glcoud DNS challenge should support use of OAuth access tokens so that the challenge can be handled with a short-term credentials rather than static long-lived credentials.

I'm proposing the addition of a GCE_ACCESS_TOKEN environment variable, as an alternative to the existing GCE_SERVICE_ACCOUNT and GCE_SERVICE_ACCOUNT_FILE env vars:

GCE_ACCESS_TOKEN (Optional) A temporary OAuth 2.0 access token obtained from the Google Authorization server, i.e. the Authorization: Bearer token used to authenticate HTTP requests to GCP APIs.

[pyaillet]

Sadly, the library provided by Google to handle OAuth2 does not support a static token source which IMHO would be the way to build the client with the authentication config. Hashicorp seems to have gotten around this by defining a staticTokenSource here.

I guess it would be the way to go to support this authentication method.

WDYT ?