Closed jskeet closed 3 years ago
Assigning to Amanda to see whether this is covered by existing auth work and/or other languages.
This issue has been moved to the backlog in #1719 . Please refer to BACKLOG.md for more information.
Any plans to support key rotation any time soon?
Not specifically no. We are working on some improvements that may tangentially allow support for key rotation, but all of that is in a very exploratory phase right now.
I'll ping this issue if something comes out of it.
Do you have any potential ways how to approach this feature without waiting for a complete implementation from your side?
If you are using ADC (GoogleCredential.GetApplicationDefaultAsyn(...)
), unfortunaly the only workaround I can offer right now (I'm hesitant to call it that actually) is to acassionally restart the app. Don't get me wrong, I know this is far from advisable.
If you are OK with creating the credentials on your own, then you can do GoogleCredential.FromFile(...)
and that will create a brand new credential from the current contents of the file. But notice that any existing credentials that had been created before will remain as they are.
I'm not aware of any of the other languages supporting this feature, to be honest, so again, and to address expectations, we'd still need to coordinate with the Auth team and with all languages so that we can implement a similar approach.
Lastly, I'm currently working on #2033 Support for Workload Identity Federation which is suppose to at least partially eliminate the need for downloading and sharing service account keys even when running outside Google Cloud. You can read more about Workload Identity Federation. There are still 2 or 3 weeks to go before that may be released, but it's definetely going to happen sooner than key rotation support.
This comes from https://github.com/googleapis/google-cloud-dotnet/issues/3406
Basically this would involve creating a file-watching (or possibly polling) credential implementation, so that if the service account file changes, we pick up on those changes automatically. We should consult with other language teams before implementing, in order to come up with a consistent approach.