Open adamhooper opened 3 years ago
Good idea! We do not use GCS much on our end, so we are not sure how other tools handle this! However, we are happy to accept PRs in order to make tusd work more uniform with the rest of the ecosystem (in a backwards compatible way) :)
Is your feature request related to a problem? Please describe.
I want to configure tusd's GCS authentication the way I configure other GCS clients.
In particular, my GKE containers already have workload identities. Other clients don't need a file on disk or an environment variable.
Describe the solution you'd like
I'd like tusd to authenticate using the existing logic in
cloud.google.com/go/storage
, as documented at https://cloud.google.com/docs/authentication/production, as opposed to with its own logic.For most users, this would mean setting
GOOGLE_APPLICATION_CREDENTIALS
instead ofGCS_APPLICATION_CREDENTIALS
. Wouldn't that be swell! It'd be like with other apps.But for users like me, who use GCE, GKE, etc., we'd have an even happier outcome: we wouldn't need to configure anything at all. Authentication would Just Work, no environment variable needed.
This diff ignores the backwards-compatibility problem. It might be wise to put
SetEnv("GOOGLE_APPLICATION_CREDENTIALS")
to equalGetEnv("GCS_SERVICE_ACCOUNT_FILE")
when it is set, to preserve backwards-compatibility.Describe alternatives you've considered
Currently, I create a service-account key, store it in a Kubernetes secret, mount the secret as a volume on the tusd container, and set the
GCS_SERVICE_ACCOUNT_FILE
variable to point to it.This adds a security problem: that security key is visible within the container, and it lasts for 10 years. (Under my proposed approach, the workload-identity tokens given by Google cloud services last only 30min.)
It also adds a maintenance problem: the security key expires in 10 years, and I must address that problem manually. (Under my proposed approach, maintenance is automatic.)
Also, I just made a mistake today and it frustrated me :)
Can you provide help with implementing this feature?
I think that diff ought to do it. I haven't tested it, though.
Additional context
All the cool kids authenticate without environment variables.