From d2ea9b4a95e33883e87b9288666de75542740a77 Mon Sep 17 00:00:00 2001 From: Yao Cui Date: Mon, 21 Oct 2024 19:40:36 +0000 Subject: [PATCH 1/2] gdc oauth2 impersonation --- google/cloud/internal/credentials_impl.cc | 6 +- google/cloud/internal/credentials_impl.h | 7 +- .../internal/oauth2_google_credentials.cc | 10 +++ ...impersonate_service_account_credentials.cc | 78 ++++++++++++++++++- ..._impersonate_service_account_credentials.h | 15 ++++ .../oauth2_minimal_iam_credentials_rest.cc | 13 ++-- .../oauth2_minimal_iam_credentials_rest.h | 7 +- google/cloud/universe_domain/demo/compute.cc | 41 ++++------ 8 files changed, 141 insertions(+), 36 deletions(-) diff --git a/google/cloud/internal/credentials_impl.cc b/google/cloud/internal/credentials_impl.cc index 628f336892ef9..efe4a1bb21e68 100644 --- a/google/cloud/internal/credentials_impl.cc +++ b/google/cloud/internal/credentials_impl.cc @@ -68,10 +68,12 @@ AccessTokenConfig::AccessTokenConfig( ImpersonateServiceAccountConfig::ImpersonateServiceAccountConfig( std::shared_ptr base_credentials, - std::string target_service_account, Options opts) + std::string target_service_account, Options opts, + absl::optional service_account_impersonation_url) : base_credentials_(std::move(base_credentials)), target_service_account_(std::move(target_service_account)), - options_(PopulateAuthOptions(std::move(opts))) {} + options_(PopulateAuthOptions(std::move(opts))), + service_account_impersonation_url_(std::move(service_account_impersonation_url)) {} std::chrono::seconds ImpersonateServiceAccountConfig::lifetime() const { return options_.get(); diff --git a/google/cloud/internal/credentials_impl.h b/google/cloud/internal/credentials_impl.h index 6c41d7f782bc0..78604b93213ae 100644 --- a/google/cloud/internal/credentials_impl.h +++ b/google/cloud/internal/credentials_impl.h @@ -119,7 +119,8 @@ class ImpersonateServiceAccountConfig : public Credentials { public: ImpersonateServiceAccountConfig(std::shared_ptr base_credentials, std::string target_service_account, - Options opts); + Options opts, + absl::optional service_account_impersonation_url = absl::nullopt); std::shared_ptr base_credentials() const { return base_credentials_; @@ -131,6 +132,9 @@ class ImpersonateServiceAccountConfig : public Credentials { std::vector const& scopes() const; std::vector const& delegates() const; Options const& options() const { return options_; } + absl::optional const& service_account_impersonation_url() const { + return service_account_impersonation_url_; + } private: void dispatch(CredentialsVisitor& v) const override { v.visit(*this); } @@ -138,6 +142,7 @@ class ImpersonateServiceAccountConfig : public Credentials { std::shared_ptr base_credentials_; std::string target_service_account_; Options options_; + absl::optional service_account_impersonation_url_; }; class ServiceAccountConfig : public Credentials { diff --git a/google/cloud/internal/oauth2_google_credentials.cc b/google/cloud/internal/oauth2_google_credentials.cc index 2968b095b7445..1535b48a65e1e 100644 --- a/google/cloud/internal/oauth2_google_credentials.cc +++ b/google/cloud/internal/oauth2_google_credentials.cc @@ -24,6 +24,7 @@ #include "google/cloud/internal/oauth2_http_client_factory.h" #include "google/cloud/internal/oauth2_service_account_credentials.h" #include "google/cloud/internal/parse_service_account_p12_file.h" +#include "google/cloud/internal/oauth2_impersonate_service_account_credentials.h" #include "google/cloud/internal/throw_delegate.h" #include #include @@ -97,6 +98,12 @@ StatusOr> LoadCredsFromPath( std::make_unique(*info, options, std::move(client_factory))); } + if (cred_type == "impersonated_service_account") { + auto cfg = MakeImpersonateServiceAccountConfig(contents, options, internal::ErrorContext{}); + if (!cfg) return std::move(cfg).status(); + return std::unique_ptr( + std::make_unique(*cfg, std::move(client_factory))); + } return internal::InvalidArgumentError( "Unsupported credential type (" + cred_type + ") when reading Application Default Credentials file " @@ -132,6 +139,9 @@ StatusOr> MaybeLoadCredsFromAdcPaths( if (!google::cloud::internal::exists(adc_file_status)) return {nullptr}; } + std::cout << path << std::endl; + std::cout << "--------------------------------------" << std::endl; + // If the path was specified, try to load that file; explicitly fail if it // doesn't exist or can't be read and parsed. return LoadCredsFromPath(path, options, std::move(client_factory)); diff --git a/google/cloud/internal/oauth2_impersonate_service_account_credentials.cc b/google/cloud/internal/oauth2_impersonate_service_account_credentials.cc index f297050c043c4..1a68db0729dc6 100644 --- a/google/cloud/internal/oauth2_impersonate_service_account_credentials.cc +++ b/google/cloud/internal/oauth2_impersonate_service_account_credentials.cc @@ -34,13 +34,89 @@ GenerateAccessTokenRequest MakeRequest( } // namespace +StatusOr MakeImpersonateServiceAccountConfig( + std::string const& content, Options options, internal::ErrorContext const& ec) { + auto json = nlohmann::json::parse(content, nullptr, false); + if (!json.is_object()) { + return InvalidArgumentError( + "impersonate service account configuration was not a JSON object", + GCP_ERROR_INFO().WithContext(ec)); + } + auto type = ValidateStringField(json, "type", "credentials-file", ec); + if (!type) return std::move(type).status(); + if (*type != "impersonated_service_account") { + return InvalidArgumentError( + "mismatched type (" + *type + ") in external account configuration", + GCP_ERROR_INFO().WithContext(ec)); + } + + auto service_account_impersonation_url = ValidateStringField(json, "service_account_impersonation_url", "credentials-file", ec); + if (!service_account_impersonation_url) return std::move(service_account_impersonation_url).status(); + + std::vector v = absl::StrSplit(*service_account_impersonation_url, "/serviceAccounts/"); + if (v.size() != 2) { + return InvalidArgumentError( + absl::StrCat("malformed service_account_impersonation_url: ", *service_account_impersonation_url), + GCP_ERROR_INFO().WithContext(ec)); + } + v = absl::StrSplit(v[1], ':'); + if (v.size() != 2) { + return InvalidArgumentError( + absl::StrCat("malformed service_account_impersonation_url: ", *service_account_impersonation_url), + GCP_ERROR_INFO().WithContext(ec)); + } + auto target_service_account = v[0]; + + auto delegates = json.find("delegates"); + if (delegates != json.end()) { + if (!delegates->is_array()) { + return InvalidArgumentError( + "delegates must be an array", GCP_ERROR_INFO().WithContext(ec)); + } + options.set(delegates->get>()); + } + + auto source_credentials = json.find("source_credentials"); + if (source_credentials == json.end()) { + return InvalidArgumentError( + "missing `source_credentials` field in impersonation service account configuration", + GCP_ERROR_INFO().WithContext(ec)); + } + + if (!source_credentials->is_object()) { + return InvalidArgumentError( + "`source_credentials` field is not a JSON object in impersonation service account configuration", + GCP_ERROR_INFO().WithContext(ec)); + } + auto const source_credentials_contents = source_credentials->dump(); + // save source_credentials_contents to a tmp file + (void)setenv("GOOGLE_APPLICATION_CREDENTIALS", "/tmp/base_credentials.json", 1); + + std::ofstream myfile; + myfile.open ("/tmp/base_credentials.json"); + myfile << source_credentials_contents; + myfile.close(); + + auto const cred_type = ValidateStringField(*source_credentials, "type", "credentials-file", ec); + if (!type) return std::move(type).status(); + + if ((*cred_type != "authorized_user" && *cred_type != "external_account" && *cred_type != "service_account")) { + return internal::InvalidArgumentError( + "Unsupported credential type : " + *cred_type, + GCP_ERROR_INFO().WithContext(ec)); + } + + return google::cloud::internal::ImpersonateServiceAccountConfig( + MakeGoogleDefaultCredentials(options), target_service_account, options, *service_account_impersonation_url); +} + ImpersonateServiceAccountCredentials::ImpersonateServiceAccountCredentials( google::cloud::internal::ImpersonateServiceAccountConfig const& config, HttpClientFactory client_factory) : ImpersonateServiceAccountCredentials( config, MakeMinimalIamCredentialsRestStub( rest_internal::MapCredentials(*config.base_credentials()), - config.options(), std::move(client_factory))) {} + config.options(), std::move(client_factory), config.service_account_impersonation_url())) {} ImpersonateServiceAccountCredentials::ImpersonateServiceAccountCredentials( google::cloud::internal::ImpersonateServiceAccountConfig const& config, diff --git a/google/cloud/internal/oauth2_impersonate_service_account_credentials.h b/google/cloud/internal/oauth2_impersonate_service_account_credentials.h index ca80cbe572f4b..31f9b26792ac8 100644 --- a/google/cloud/internal/oauth2_impersonate_service_account_credentials.h +++ b/google/cloud/internal/oauth2_impersonate_service_account_credentials.h @@ -20,12 +20,27 @@ #include "google/cloud/version.h" #include #include +#include +#include "google/cloud/internal/make_status.h" +#include "google/cloud/internal/absl_str_cat_quiet.h" +#include "absl/strings/str_split.h" + +#include "google/cloud/internal/json_parsing.h" +#include "google/cloud/internal/oauth2_external_account_credentials.h" +#include "google/cloud/internal/oauth2_authorized_user_credentials.h" +#include "google/cloud/internal/oauth2_service_account_credentials.h" + +#include +#include namespace google { namespace cloud { namespace oauth2_internal { GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN +StatusOr MakeImpersonateServiceAccountConfig( + std::string const& content, Options options, internal::ErrorContext const& ec); + /** * Provides Credentials when impersonating an existing service account. */ diff --git a/google/cloud/internal/oauth2_minimal_iam_credentials_rest.cc b/google/cloud/internal/oauth2_minimal_iam_credentials_rest.cc index 8a4b415d35b31..1d90134212e59 100644 --- a/google/cloud/internal/oauth2_minimal_iam_credentials_rest.cc +++ b/google/cloud/internal/oauth2_minimal_iam_credentials_rest.cc @@ -37,10 +37,13 @@ using ::google::cloud::internal::InvalidArgumentError; MinimalIamCredentialsRestStub::MinimalIamCredentialsRestStub( std::shared_ptr credentials, Options options, - HttpClientFactory client_factory) + HttpClientFactory client_factory, + absl::optional service_account_impersonation_url) : credentials_(std::move(credentials)), options_(std::move(options)), - client_factory_(std::move(client_factory)) {} + client_factory_(std::move(client_factory)), + service_account_impersonation_url_( + std::move(service_account_impersonation_url)) {} StatusOr MinimalIamCredentialsRestStub::GenerateAccessToken( @@ -52,7 +55,7 @@ MinimalIamCredentialsRestStub::GenerateAccessToken( rest_internal::RestRequest rest_request; rest_request.AddHeader(auth_header.value()); rest_request.AddHeader("Content-Type", "application/json"); - rest_request.SetPath(MakeRequestPath(request)); + rest_request.SetPath(service_account_impersonation_url_ ? *service_account_impersonation_url_ : MakeRequestPath(request)); nlohmann::json payload{ {"delegates", request.delegates}, {"scope", request.scopes}, @@ -134,14 +137,14 @@ StatusOr ParseGenerateAccessTokenResponse( std::shared_ptr MakeMinimalIamCredentialsRestStub( std::shared_ptr credentials, Options options, - HttpClientFactory client_factory) { + HttpClientFactory client_factory, absl::optional service_account_impersonation_url) { auto enable_logging = options.get().count("rpc") != 0 || options.get().count("raw-client") != 0; std::shared_ptr stub = std::make_shared( std::move(credentials), std::move(options), - std::move(client_factory)); + std::move(client_factory), std::move(service_account_impersonation_url)); if (enable_logging) { stub = std::make_shared(std::move(stub)); } diff --git a/google/cloud/internal/oauth2_minimal_iam_credentials_rest.h b/google/cloud/internal/oauth2_minimal_iam_credentials_rest.h index 0c1a8e241c5f9..567457519316e 100644 --- a/google/cloud/internal/oauth2_minimal_iam_credentials_rest.h +++ b/google/cloud/internal/oauth2_minimal_iam_credentials_rest.h @@ -37,6 +37,7 @@ struct GenerateAccessTokenRequest { std::chrono::seconds lifetime; std::vector scopes; std::vector delegates; + absl::optional service_account_impersonation_url; }; /// Parse the HTTP response from a `GenerateAccessToken()` call. @@ -73,7 +74,8 @@ class MinimalIamCredentialsRestStub : public MinimalIamCredentialsRest { */ MinimalIamCredentialsRestStub( std::shared_ptr credentials, - Options options, HttpClientFactory client_factory); + Options options, HttpClientFactory client_factory, + absl::optional service_account_impersonation_url = absl::nullopt); StatusOr GenerateAccessToken( GenerateAccessTokenRequest const& request) override; @@ -88,6 +90,7 @@ class MinimalIamCredentialsRestStub : public MinimalIamCredentialsRest { std::shared_ptr credentials_; Options options_; HttpClientFactory client_factory_; + absl::optional service_account_impersonation_url_; }; /** @@ -111,7 +114,7 @@ class MinimalIamCredentialsRestLogging : public MinimalIamCredentialsRest { std::shared_ptr MakeMinimalIamCredentialsRestStub( std::shared_ptr credentials, Options options, - HttpClientFactory client_factory); + HttpClientFactory client_factory, absl::optional service_account_impersonation_url = absl::nullopt); GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END } // namespace oauth2_internal diff --git a/google/cloud/universe_domain/demo/compute.cc b/google/cloud/universe_domain/demo/compute.cc index a8b49090b029f..593c4b1f51e33 100644 --- a/google/cloud/universe_domain/demo/compute.cc +++ b/google/cloud/universe_domain/demo/compute.cc @@ -1,17 +1,3 @@ -// Copyright 2024 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - #include "google/cloud/compute/disks/v1/disks_client.h" #include "google/cloud/compute/disks/v1/disks_options.h" #include "google/cloud/internal/getenv.h" @@ -19,6 +5,7 @@ #include "google/cloud/universe_domain.h" #include "google/cloud/universe_domain_options.h" #include +#include namespace { @@ -34,25 +21,29 @@ void AddTargetApiVersionFromEnvVar(google::cloud::Options& options) { } // namespace int main(int argc, char* argv[]) try { - if (argc != 3) { + if (argc != 4) { std::cerr << "Usage: " << argv[0] << " project-id zone-id\n"; return 1; } std::string const project_id = argv[1]; std::string const zone_id = argv[2]; - // Create aliases to make the code easier to read. + namespace gc = ::google::cloud; namespace disks = ::google::cloud::compute_disks_v1; - auto options = - google::cloud::AddUniverseDomainOption(google::cloud::ExperimentalTag{}); - if (!options.ok()) throw std::move(options).status(); - // Override retry policy to quickly exit if there's a failure. - options->set( - std::make_shared(3)); + + gc::Options options; + auto is = std::ifstream(argv[3]); + is.exceptions(std::ios::badbit); + auto contents = std::string(std::istreambuf_iterator(is.rdbuf()), {}); + options.set(google::cloud::MakeGoogleDefaultCredentials()); + + auto ud_options = gc::AddUniverseDomainOption(gc::ExperimentalTag{}, options); + if (!ud_options.ok()) throw std::move(ud_options).status(); + // set env var COMPUTE_TARGET_API to select api other than "v1". - AddTargetApiVersionFromEnvVar(*options); - auto client = disks::DisksClient(disks::MakeDisksConnectionRest(*options)); + AddTargetApiVersionFromEnvVar(*ud_options); + auto client = disks::DisksClient(disks::MakeDisksConnectionRest(*ud_options)); std::cout << "compute.ListDisks:\n"; for (auto disk : client.ListDisks(project_id, zone_id)) { @@ -64,4 +55,4 @@ int main(int argc, char* argv[]) try { } catch (google::cloud::Status const& status) { std::cerr << "google::cloud::Status thrown: " << status << "\n"; return 1; -} +} \ No newline at end of file From 5e81f6e1f08578c173a1fd209960826e63d5b83c Mon Sep 17 00:00:00 2001 From: Yao Cui Date: Tue, 22 Oct 2024 17:36:21 +0000 Subject: [PATCH 2/2] grpc --- google/cloud/BUILD.bazel | 2 ++ google/cloud/google_cloud_cpp_grpc_utils.bzl | 2 ++ .../cloud/internal/grpc_google_credentials.cc | 29 +++++++++++++++++++ .../cloud/internal/grpc_google_credentials.h | 27 +++++++++++++++++ .../grpc_impersonate_service_account.cc | 2 +- .../internal/minimal_iam_credentials_stub.cc | 6 +++- .../internal/minimal_iam_credentials_stub.h | 2 +- .../internal/oauth2_google_credentials.cc | 3 -- .../internal/unified_grpc_credentials.cc | 6 ++++ 9 files changed, 73 insertions(+), 6 deletions(-) create mode 100644 google/cloud/internal/grpc_google_credentials.cc create mode 100644 google/cloud/internal/grpc_google_credentials.h diff --git a/google/cloud/BUILD.bazel b/google/cloud/BUILD.bazel index 7de0986c226f9..c69b31f5bc02f 100644 --- a/google/cloud/BUILD.bazel +++ b/google/cloud/BUILD.bazel @@ -165,6 +165,7 @@ cc_library( ], deps = [ ":google_cloud_cpp_common", + ":google_cloud_cpp_rest_internal", "@com_github_grpc_grpc//:grpc++", "@com_google_absl//absl/functional:function_ref", "@com_google_absl//absl/time", @@ -175,6 +176,7 @@ cc_library( "@com_google_googleapis//google/longrunning:longrunning_cc_grpc", "@com_google_googleapis//google/rpc:error_details_cc_proto", "@com_google_googleapis//google/rpc:status_cc_proto", + "@com_github_nlohmann_json//:json", ], ) diff --git a/google/cloud/google_cloud_cpp_grpc_utils.bzl b/google/cloud/google_cloud_cpp_grpc_utils.bzl index de675eb838aa6..93fe9c4904e7c 100644 --- a/google/cloud/google_cloud_cpp_grpc_utils.bzl +++ b/google/cloud/google_cloud_cpp_grpc_utils.bzl @@ -63,6 +63,7 @@ google_cloud_cpp_grpc_utils_hdrs = [ "internal/grpc_api_key_authentication.h", "internal/grpc_async_access_token_cache.h", "internal/grpc_channel_credentials_authentication.h", + "internal/grpc_google_credentials.h", "internal/grpc_impersonate_service_account.h", "internal/grpc_metadata_view.h", "internal/grpc_opentelemetry.h", @@ -102,6 +103,7 @@ google_cloud_cpp_grpc_utils_srcs = [ "internal/grpc_api_key_authentication.cc", "internal/grpc_async_access_token_cache.cc", "internal/grpc_channel_credentials_authentication.cc", + "internal/grpc_google_credentials.cc", "internal/grpc_impersonate_service_account.cc", "internal/grpc_opentelemetry.cc", "internal/grpc_request_metadata.cc", diff --git a/google/cloud/internal/grpc_google_credentials.cc b/google/cloud/internal/grpc_google_credentials.cc new file mode 100644 index 0000000000000..d7add041c3daf --- /dev/null +++ b/google/cloud/internal/grpc_google_credentials.cc @@ -0,0 +1,29 @@ +#include "google/cloud/internal/grpc_google_credentials.h" + +namespace google { +namespace cloud { +GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN +namespace internal { + +StatusOr> MaybeLoadImpersonationCredentials(CompletionQueue cq, Options const& options) { + std::string path = std::string(std::getenv("GOOGLE_APPLICATION_CREDENTIALS")); + auto ec = internal::ErrorContext{}; + if (path.empty()) { + return {nullptr}; + } + std::ifstream ifs(path); + auto const contents = std::string(std::istreambuf_iterator{ifs}, {}); + auto json = nlohmann::json::parse(contents, nullptr, false); + + auto cfg = oauth2_internal::MakeImpersonateServiceAccountConfig(contents, options, internal::ErrorContext{}); + if (!cfg) return std::move(cfg).status(); + + return std::shared_ptr( + GrpcImpersonateServiceAccount::Create(std::move(cq), *cfg, std::move(options))); + +} + +} // namespace internal +GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END +} // namespace cloud +} // namespace google \ No newline at end of file diff --git a/google/cloud/internal/grpc_google_credentials.h b/google/cloud/internal/grpc_google_credentials.h new file mode 100644 index 0000000000000..d9eb14815a412 --- /dev/null +++ b/google/cloud/internal/grpc_google_credentials.h @@ -0,0 +1,27 @@ +#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_GRPC_GOOGLE_CREDENTIALS_H +#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_GRPC_GOOGLE_CREDENTIALS_H + +#include "google/cloud/version.h" +#include "google/cloud/internal/make_status.h" +#include "google/cloud/internal/unified_grpc_credentials.h" +#include "google/cloud/internal/oauth2_google_application_default_credentials_file.h" +#include +#include +#include "google/cloud/internal/json_parsing.h" +#include "absl/strings/str_split.h" +#include "google/cloud/internal/oauth2_impersonate_service_account_credentials.h" +#include "google/cloud/internal/grpc_impersonate_service_account.h" + +namespace google { +namespace cloud { +GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN +namespace internal { + +StatusOr> MaybeLoadImpersonationCredentials(CompletionQueue cq, Options const& options); + +} // namespace internal +GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END +} // namespace cloud +} // namespace google + +#endif // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_GRPC_GOOGLE_CREDENTIALS_H \ No newline at end of file diff --git a/google/cloud/internal/grpc_impersonate_service_account.cc b/google/cloud/internal/grpc_impersonate_service_account.cc index 18fdb0c41843a..b2319b826f0a7 100644 --- a/google/cloud/internal/grpc_impersonate_service_account.cc +++ b/google/cloud/internal/grpc_impersonate_service_account.cc @@ -32,7 +32,7 @@ AsyncAccessTokenSource MakeSource(ImpersonateServiceAccountConfig const& config, auto stub = MakeMinimalIamCredentialsStub( CreateAuthenticationStrategy(*config.base_credentials(), std::move(cq), options), - MakeMinimalIamCredentialsOptions(options)); + MakeMinimalIamCredentialsOptions(options, config.service_account_impersonation_url())); GenerateAccessTokenRequest request; request.set_name("projects/-/serviceAccounts/" + diff --git a/google/cloud/internal/minimal_iam_credentials_stub.cc b/google/cloud/internal/minimal_iam_credentials_stub.cc index d88ca2e5582d3..2176b5fe9e7cf 100644 --- a/google/cloud/internal/minimal_iam_credentials_stub.cc +++ b/google/cloud/internal/minimal_iam_credentials_stub.cc @@ -228,10 +228,14 @@ std::shared_ptr MakeMinimalIamCredentialsStub( return DecorateMinimalIamCredentialsStub(std::move(impl), options); } -Options MakeMinimalIamCredentialsOptions(Options options) { +Options MakeMinimalIamCredentialsOptions(Options options, absl::optional service_account_impersonation_url) { // The supplied options come from a service. We are overriding the value of // its `EndpointOption`. options.unset(); + if (service_account_impersonation_url) { + return options.set( + *service_account_impersonation_url); + } auto ep = UniverseDomainEndpoint("iamcredentials.googleapis.com", options); return options.set(std::move(ep)); } diff --git a/google/cloud/internal/minimal_iam_credentials_stub.h b/google/cloud/internal/minimal_iam_credentials_stub.h index b126995c74a75..bf2317b93ff97 100644 --- a/google/cloud/internal/minimal_iam_credentials_stub.h +++ b/google/cloud/internal/minimal_iam_credentials_stub.h @@ -71,7 +71,7 @@ std::shared_ptr MakeMinimalIamCredentialsStub( std::shared_ptr auth_strategy, Options const& options); -Options MakeMinimalIamCredentialsOptions(Options options); +Options MakeMinimalIamCredentialsOptions(Options options, absl::optional service_account_impersonation_url = absl::nullopt); } // namespace internal GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END diff --git a/google/cloud/internal/oauth2_google_credentials.cc b/google/cloud/internal/oauth2_google_credentials.cc index 1535b48a65e1e..942c15e74f23d 100644 --- a/google/cloud/internal/oauth2_google_credentials.cc +++ b/google/cloud/internal/oauth2_google_credentials.cc @@ -139,9 +139,6 @@ StatusOr> MaybeLoadCredsFromAdcPaths( if (!google::cloud::internal::exists(adc_file_status)) return {nullptr}; } - std::cout << path << std::endl; - std::cout << "--------------------------------------" << std::endl; - // If the path was specified, try to load that file; explicitly fail if it // doesn't exist or can't be read and parsed. return LoadCredsFromPath(path, options, std::move(client_factory)); diff --git a/google/cloud/internal/unified_grpc_credentials.cc b/google/cloud/internal/unified_grpc_credentials.cc index b1c82e99f2586..50c9225971dc9 100644 --- a/google/cloud/internal/unified_grpc_credentials.cc +++ b/google/cloud/internal/unified_grpc_credentials.cc @@ -22,6 +22,7 @@ #include "google/cloud/internal/grpc_service_account_authentication.h" #include #include +#include "google/cloud/internal/grpc_google_credentials.h" namespace { @@ -102,6 +103,11 @@ std::shared_ptr CreateAuthenticationStrategy( grpc::InsecureChannelCredentials()); } void visit(GoogleDefaultCredentialsConfig const&) override { + auto ret = MaybeLoadImpersonationCredentials(std::move(cq), std::move(options)); + if (ret) { + result = *ret; + return; + } result = std::make_unique( grpc::GoogleDefaultCredentials()); }