Prevent access token forwarding for Secret Manager

[manuelbl]

In an application using OIDC or OAuth 2, the Secret Manager extension will use the access token of the current user to access the Secret Manager. Usually, the first user's token after startup will be used.

While this behavior is documented in Authenticating to the Google Cloud and makes sense for several Google services (such as Storage), it does not make sense for the Secret Manager and can even be considered a security issue.

The behavior can be disabled in application.properties:

quarkus.google.cloud.access-token-enabled=false

However, by disabling it globally it will not be available for other services. So it renders the Secret Manager extension incompatible with access token forwarding. It's not possible to use both the Secret Manager and access Google Storage with user credentials.

I therefore propose to enhance the Secret Manager extension:

• Either automatically and globally disable user access tokens if the Secret Manager is used.
• Or automatically disable user access tokens for the Secret Manager only (preferred option)

[loicmathieu]

Maybe we need a way to override the global authentication for the Secret Manager to be able to choose a different authentication mechanism for it. So you can have OIDC for Storage and json service account (or automatic auth when running in GCP) for Secret Manager.

This makes sense.