search

google-apis-rs / google-cloud-rs

Asynchronous Rust bindings for Google Cloud Platform APIs.
176 stars 48 forks source link

Authorize with google cloud sdk application default credentials #53

Open Marlin-Na opened 3 years ago

Marlin-Na commented 3 years ago

Hey I am glad seeing this rust binding of google cloud apis.

The python client and others implement several ways to authorize it. https://github.com/googleapis/google-auth-library-python/blob/9e1082366d113286bc063051fd76b4799791d943/google/auth/_default.py#L346-L435

  1. via GOOGLE_APPLICATION_CREDENTIALS environment variable.
  2. via google cloud sdk, i.e. gcloud auth application-default login
  3. via App Engine/ Compute Engine running environment

I am particular interested in the second way for authorization. It essentially involves checking ~/.config/gcloud/application_default_credentials.json file to get client_secret and refresh_token. For example:

> cat ~/.config/gcloud/application_default_credentials.json 
{
  "client_id": "xxx",
  "client_secret": "xxx",
  "refresh_token": "xxx",
  "type": "authorized_user"
}

It would be great if this library can implement this kind of authorization. Issue #15 is probably related.

plippe commented 3 years ago

Hey,

I am looking for something similar.

I have an application running as a Docker container on Google Cloud Run. I want to interact with Datastore, but I can't seem to obtain the service account.

As others have suggested, it might be worth rewriting the client creation to follow Google's default credential flow and avoid duplication.

I don't mind trying to write a PR. It shouldn't be too hard as the logic already exist in all the official libraries. I should have something in a week or two.

Would anyone have any advice before I start?

plippe commented 3 years ago

There doesn't seem to be much interest for my PR. Therefore, I won't waste any time on it.

GlenDC commented 3 years ago

@Hirevo is this library still being supported? Do you need help? I would also very much like this logic as for now I am having to polyfill it myself. And while I do not mind putting in the work (as I will be forced to anyway), it does seem like a waste of time that all of us need to implement this ourselves.

As such, can the PR of @plippe be looked at please? If not, can you tell us why, so that he, I or someone else can take a second look at it, either by picking up the PR, or going for a by you approved different approach.

Either way, as it stands now, the library is auth-wise very much under-supported, which is a shame, as all the rest does seem to be pretty neat as-is. For which, a big thanks!