Load content of JSON credentials directly into GOOGLE_APPLICATION_CREDENTIALS environment variable without using file path. #1611
Comments
sheeeng
changed the title
sheeeng
changed the title
sheeeng
changed the title
sheeeng
changed the title
|
No, you have to choose between automatically loading the credentials from a file, or manually loading it from a string. (Obviously the code doesn't care where you get that string from - it could be in an environment variable.) But the default application credentials path will never use the content of an environment variable as the credential data itself. |
jskeet
added
the
type: question
|
Thanks Jon for the clarification. Have I understand correctly that the purpose of the mentioned environment variable encapsulates the use of Thus, it is alright for us to load the content of JSON credentials directly into |
|
I don't know what you mean by "the purpose of the mentioned environment variable encapsulates the use of But yes, it's absolutely fine to use |
|
Thanks, Jon. Please don't get me wrong. We would want to use |
|
I did not progress much since the last comment. I'm authenticating a BigTable client to Google Cloud through Microsoft Azure. byte[] data = Convert.FromBase64String(base64String);
string jsonKey = Encoding.UTF8.GetString(data);
- var fileName = "credentials";
- File.WriteAllText(fileName, jsonKey);
- Environment.SetEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS", fileName);
+ GoogleCredential.FromJson(jsonKey);I read[1] that We have |
|
You're just calling If you're using Google.Cloud.BigQuery.V2, just use: var credential = GoogleCredential.FromJson(jsonKey);
var client = BigQueryClient.Create(projectId, credential);(I'm slightly confused as you were talking about BigQuery before, and your last comment is about Bigtable. Those are separate products, with slightly different APIs.) |
|
Thanks for the clarification. I should be clear about authentication through a How does authenticating through BigTable client looks like after |
|
In that case, you don't even need to call var client = new BigtableClientBuilder { JsonCredentials = jsonKey }.Build();See https://googleapis.github.io/google-cloud-dotnet/docs/faq.html#how-can-i-use-non-default-credentials-for-grpc-based-apis for more details. |
|
Thank you for much for the clarification, Jon. |
@jskeet Could you please elaborate a bit on the rationale behind this design decision? Is it due to some kind of security concern? |
|
@oskar: I can't speak for the auth design team, but I would expect that yes, there are security concerns around environment variables being leaked (see the CodeCov vulnerability for example). But beyond that, there's a cost to every additional way of specifying credentials - there's more complexity for customers to navigate, more to implement and ensure consistency across many platforms, more documentation to write etc. That means the benefit for "yet another way of specifying credentials" has to be really pretty significant before it's worth doing. |
|
// .env .. usage |
According to official documentation[1][2],
GOOGLE_APPLICATION_CREDENTIALSenvironment variable can only accept file path to a JSON formatted credentials file.As a user, I would want to load the content of JSON credentials directly into GOOGLE_APPLICATION_CREDENTIALS environment variable without using the file path. I want to prevent writing credentials to the file system.
Please forgive my ignorance. Is it possible that we use
GoogleCredential.FromJson(string json)function[3] as a workaound?P.S. There is also a related case[4] under google-api-go-client project.
[1] https://googleapis.github.io/google-cloud-dotnet/docs/Google.Cloud.BigQuery.V2/index.html#authentication
[2] https://cloud.google.com/docs/authentication/getting-started
[3] https://googleapis.dev/dotnet/Google.Apis.Auth/1.48.0/api/Google.Apis.Auth.OAuth2.GoogleCredential.html#Google_Apis_Auth_OAuth2_GoogleCredential_FromJson_System_String_
[4] googleapis/google-api-go-client#185
The text was updated successfully, but these errors were encountered: