wojtekmach
commented
3 years ago @mcrumm I'm gonna close this in favour of #91 as I believe I found a cleaner solution but please let me know otherwise! :)
Basically we'd now configure it like this:
Generate a token using a service account credentials file:
iex> credentials = "credentials.json" |> File.read!() |> Jason.decode!()
iex> Goth.start_link(name: MyApp.Goth, source: {:service_account, credentials, []})
iex> Goth.fetch(MyApp.Goth)
{:ok, %Goth.Token{...}}
Retrieve the token using a refresh token:
iex> credentials = "credentials.json" |> File.read!() |> Jason.decode!()
iex> Goth.start_link(name: MyApp.Goth, source: {:refresh_token, credentials, []})
iex> Goth.fetch(MyApp.Goth)
{:ok, %Goth.Token{...}}
Retrieve the token using the Google metadata server:
iex> Goth.start_link(name: MyApp.Goth, source: {:metadata, []})
iex> Goth.fetch(MyApp.Goth)
{:ok, %Goth.Token{...}}
mcrumm
Ref: #82, #85
I realized too late that I had the path wrong in my last PR 🙈
http://metadata.google.internal/computeMetadata/v1/instance/default/tokenvs.http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/tokenAdditionally I went ahead and implemented the "magic" URL override, and ultimately I did something similar for
scopethat might be a little bit more controversial. Looking forward to feedback :) tl;dr there are instances where you want to pass scope to the metadata server, but in the most common use case(GCE/GKE) do not want to/it is not allowed.See https://cloud.google.com/run/docs/securing/service-identity#access_tokens for a better explanation. Primarily it's App Engine/Cloud Run may need to set scope for service instance access tokens, and everyone else can/will ignore scope for their service accounts.