search

googleapis / google-api-dotnet-client

Google APIs Client Library for .NET
https://developers.google.com/api-client-library/dotnet
Apache License 2.0
1.35k stars 526 forks source link

Support for key rotation #1447

Closed jskeet closed 3 years ago

jskeet commented 5 years ago

This comes from https://github.com/googleapis/google-cloud-dotnet/issues/3406

Basically this would involve creating a file-watching (or possibly polling) credential implementation, so that if the service account file changes, we pick up on those changes automatically. We should consult with other language teams before implementing, in order to come up with a consistent approach.

jskeet commented 4 years ago

Assigning to Amanda to see whether this is covered by existing auth work and/or other languages.

amanda-tarafa commented 3 years ago

This issue has been moved to the backlog in #1719 . Please refer to BACKLOG.md for more information.

TheSpy commented 2 years ago

Any plans to support key rotation any time soon?

amanda-tarafa commented 2 years ago

Not specifically no. We are working on some improvements that may tangentially allow support for key rotation, but all of that is in a very exploratory phase right now.

I'll ping this issue if something comes out of it.

TheSpy commented 2 years ago

Do you have any potential ways how to approach this feature without waiting for a complete implementation from your side?

amanda-tarafa commented 2 years ago

If you are using ADC (GoogleCredential.GetApplicationDefaultAsyn(...)), unfortunaly the only workaround I can offer right now (I'm hesitant to call it that actually) is to acassionally restart the app. Don't get me wrong, I know this is far from advisable.

If you are OK with creating the credentials on your own, then you can do GoogleCredential.FromFile(...) and that will create a brand new credential from the current contents of the file. But notice that any existing credentials that had been created before will remain as they are.

I'm not aware of any of the other languages supporting this feature, to be honest, so again, and to address expectations, we'd still need to coordinate with the Auth team and with all languages so that we can implement a similar approach.

Lastly, I'm currently working on #2033 Support for Workload Identity Federation which is suppose to at least partially eliminate the need for downloading and sharing service account keys even when running outside Google Cloud. You can read more about Workload Identity Federation. There are still 2 or 3 weeks to go before that may be released, but it's definetely going to happen sooner than key rotation support.