Merge pull request #184 from avast/feat/gcp_raw_key_support

mi-char · web-flow · commit ff194cbcff41 · 2023-06-07T12:27:23.000+02:00
feat: GCS backend - Add support for providing credentials file content in the env variable
diff --git a/gcs/README.md b/gcs/README.md
@@ -8,14 +8,27 @@ compile "com.avast.clients.storage:storage-client-gcs_2.13:x.x.x"
 
 ## Usage
 
-Configuration:
+### Configuration:
 
 ```hocon
 projectId = "my-project-id"
 bucketName = "bucket-name"
 ```
 
-Client init, example for `monix.eval.Task`:
+### Authentication
+
+GCS backends supports multiple ways of authentication:
+* Providing path to the credentials file in the configuration under `credentialsFile` key
+* Using `GOOGLE_APPLICATION_CREDENTIALS_RAW` environment variable with the content of the credentials file
+* All native ways of authentication provided by Google Cloud SDK
+  * Using `GOOGLE_APPLICATION_CREDENTIALS` environment variable
+  * Reading credential file from default paths (see https://cloud.google.com/docs/authentication/application-default-credentials#personal)
+  * For all options see https://cloud.google.com/docs/authentication/provide-credentials-adc#how-to 
+
+
+### Client initialization
+
+Example for `monix.eval.Task`:
 
 ```scala
 import com.avast.clients.storage.gcs.GcsStorageBackend
diff --git a/gcs/src/main/scala/com/avast/clients/storage/gcs/GcsStorageBackend.scala b/gcs/src/main/scala/com/avast/clients/storage/gcs/GcsStorageBackend.scala
@@ -18,7 +18,8 @@ import pureconfig.generic.ProductHint
 import pureconfig.generic.auto._
 import pureconfig.{CamelCase, ConfigFieldMapping}
 
-import java.io.FileInputStream
+import java.io.{ByteArrayInputStream, FileInputStream}
+import java.nio.charset.StandardCharsets
 import java.nio.file.StandardOpenOption
 import java.security.{DigestOutputStream, MessageDigest}
 
@@ -158,10 +159,20 @@ object GcsStorageBackend {
       blocker.delay {
         Either
           .catchNonFatal {
-            val builder = conf.jsonKeyPath match {
-              case Some(jsonKeyPath) =>
+            val credentialsFileContent = conf.credentialsFile
+              .map { credentialsFilePath =>
+                new FileInputStream(credentialsFilePath)
+              }
+              .orElse {
+                sys.env.get("GOOGLE_APPLICATION_CREDENTIALS_RAW").map { credentialFileRaw =>
+                  new ByteArrayInputStream(credentialFileRaw.getBytes(StandardCharsets.UTF_8))
+                }
+              }
+
+            val builder = credentialsFileContent match {
+              case Some(inputStream) =>
                 StorageOptions.newBuilder
-                  .setCredentials(ServiceAccountCredentials.fromStream(new FileInputStream(jsonKeyPath)))
+                  .setCredentials(ServiceAccountCredentials.fromStream(inputStream))
               case None =>
                 StorageOptions.getDefaultInstance.toBuilder
             }
@@ -206,7 +217,7 @@ object GcsStorageBackend {
   }
 }
 
-case class GcsBackendConfiguration(projectId: String, bucketName: String, jsonKeyPath: Option[String] = None)
+case class GcsBackendConfiguration(projectId: String, bucketName: String, credentialsFile: Option[String] = None)
 
 object GcsBackendConfiguration {
   // configure pureconfig:
