From f30c6e261aecc052d753b9dae175161c9edaa08b Mon Sep 17 00:00:00 2001 From: yoshi-code-bot <70984784+yoshi-code-bot@users.noreply.github.com> Date: Wed, 10 Jan 2024 10:14:23 -0800 Subject: [PATCH] chore(identity-access_context_manager): Add toys file and update authentication documentation (#23802) --- .../.owlbot-manifest.json | 1 + .../.toys.rb | 28 +++ .../AUTHENTICATION.md | 171 ++++++++---------- 3 files changed, 101 insertions(+), 99 deletions(-) create mode 100644 google-identity-access_context_manager/.toys.rb diff --git a/google-identity-access_context_manager/.owlbot-manifest.json b/google-identity-access_context_manager/.owlbot-manifest.json index db40e914486d..d2935a251a98 100644 --- a/google-identity-access_context_manager/.owlbot-manifest.json +++ b/google-identity-access_context_manager/.owlbot-manifest.json @@ -3,6 +3,7 @@ ".gitignore", ".repo-metadata.json", ".rubocop.yml", + ".toys.rb", ".yardopts", "AUTHENTICATION.md", "CHANGELOG.md", diff --git a/google-identity-access_context_manager/.toys.rb b/google-identity-access_context_manager/.toys.rb new file mode 100644 index 000000000000..23434bdd5d5b --- /dev/null +++ b/google-identity-access_context_manager/.toys.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Auto-generated by gapic-generator-ruby. DO NOT EDIT! + +toys_version! ">= 0.15.3" + +if ENV["RUBY_COMMON_TOOLS"] + common_tools_dir = File.expand_path ENV["RUBY_COMMON_TOOLS"] + load File.join(common_tools_dir, "toys", "gapic") +else + load_git remote: "https://github.com/googleapis/ruby-common-tools.git", + path: "toys/gapic", + update: true +end diff --git a/google-identity-access_context_manager/AUTHENTICATION.md b/google-identity-access_context_manager/AUTHENTICATION.md index 2735d4f65e0f..0a52f2a149e6 100644 --- a/google-identity-access_context_manager/AUTHENTICATION.md +++ b/google-identity-access_context_manager/AUTHENTICATION.md @@ -1,149 +1,122 @@ # Authentication -In general, the google-identity-access_context_manager library uses -[Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) -credentials to connect to Google Cloud services. When running within -[Google Cloud Platform environments](#google-cloud-platform-environments) the -credentials will be discovered automatically. When running on other -environments, the Service Account credentials can be specified by providing the -path to the -[JSON keyfile](https://cloud.google.com/iam/docs/managing-service-account-keys) -for the account (or the JSON itself) in -[environment variables](#environment-variables). Additionally, Cloud SDK -credentials can also be discovered automatically, but this is only recommended -during development. +The recommended way to authenticate to the google-identity-access_context_manager library is to use +[Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials). +To review all of your authentication options, see [Credentials lookup](#credential-lookup). ## Quickstart -1. [Create a service account and credentials](#creating-a-service-account). -2. Set the [environment variable](#environment-variables). +The following example shows how to set up authentication for a local development +environment with your user credentials. -```sh -export GOOGLE_CLOUD_CREDENTIALS=path/to/keyfile.json -``` - -3. Initialize the client. +**NOTE:** This method is _not_ recommended for running in production. User credentials +should be used only during development. -```ruby -require "google/identity/access_context_manager" +1. [Download and install the Google Cloud CLI](https://cloud.google.com/sdk). +2. Set up a local ADC file with your user credentials: -client = Google::Identity::AccessContextManager.access_context_manager +```sh +gcloud auth application-default login ``` -## Credential Lookup - -The google-identity-access_context_manager library aims to make authentication -as simple as possible, and provides several mechanisms to configure your system -without requiring **Service Account Credentials** directly in code. - -**Credentials** are discovered in the following order: - -1. Specify credentials in method arguments -2. Specify credentials in configuration -3. Discover credentials path in environment variables -4. Discover credentials JSON in environment variables -5. Discover credentials file in the Cloud SDK's path -6. Discover GCP credentials - -### Google Cloud Platform environments +3. Write code as if already authenticated. -When running on Google Cloud Platform (GCP), including Google Compute Engine -(GCE), Google Kubernetes Engine (GKE), Google App Engine (GAE), Google Cloud -Functions (GCF) and Cloud Run, **Credentials** are discovered automatically. -Code should be written as if already authenticated. +For more information about setting up authentication for a local development environment, see +[Set up Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev). -### Environment Variables +## Credential Lookup -The **Credentials JSON** can be placed in environment variables instead of -declaring them directly in code. Each service has its own environment variable, -allowing for different service accounts to be used for different services. (See -the READMEs for the individual service gems for details.) The path to the -**Credentials JSON** file can be stored in the environment variable, or the -**Credentials JSON** itself can be stored for environments such as Docker -containers where writing files is difficult or not encouraged. +The google-identity-access_context_manager library provides several mechanisms to configure your system. +Generally, using Application Default Credentials to facilitate automatic +credentials discovery is the easist method. But if you need to explicitly specify +credentials, there are several methods available to you. -The environment variables that google-identity-access_context_manager -checks for credentials are configured on the service Credentials class (such as -`::Google::Identity::AccessContextManager::V1::AccessContextManager::Credentials`): +Credentials are accepted in the following ways, in the following order or precedence: -* `GOOGLE_CLOUD_CREDENTIALS` - Path to JSON file, or JSON contents -* `GOOGLE_CLOUD_KEYFILE` - Path to JSON file, or JSON contents -* `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file +1. Credentials specified in method arguments +2. Credentials specified in configuration +3. Credentials pointed to or included in environment variables +4. Credentials found in local ADC file +5. Credentials returned by the metadata server for the attached service account (GCP) -```ruby -require "google/identity/access_context_manager" - -ENV["GOOGLE_CLOUD_CREDENTIALS"] = "path/to/keyfile.json" +### Configuration -client = Google::Identity::AccessContextManager.access_context_manager -``` +You can configure a path to a JSON credentials file, either for an individual client object or +globally, for all client objects. The JSON file can contain credentials created for +[workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation), +[workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation), or a +[service account key](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key). -### Configuration +Note: Service account keys are a security risk if not managed correctly. You should +[choose a more secure alternative to service account keys](https://cloud.google.com/docs/authentication#auth-decision-tree) +whenever possible. -The path to the **Credentials JSON** file can be configured instead of storing -it in an environment variable. Either on an individual client initialization: +To configure a credentials file for an individual client initialization: ```ruby require "google/identity/access_context_manager" client = Google::Identity::AccessContextManager.access_context_manager do |config| - config.credentials = "path/to/keyfile.json" + config.credentials = "path/to/credentialfile.json" end ``` -Or globally for all clients: +To configure a credentials file globally for all clients: ```ruby require "google/identity/access_context_manager" Google::Identity::AccessContextManager.configure do |config| - config.credentials = "path/to/keyfile.json" + config.credentials = "path/to/credentialfile.json" end client = Google::Identity::AccessContextManager.access_context_manager ``` -### Cloud SDK +### Environment Variables -This option allows for an easy way to authenticate during development. If -credentials are not provided in code or in environment variables, then Cloud SDK -credentials are discovered. +You can also use an environment variable to provide a JSON credentials file. +The environment variable can contain a path to the credentials file or, for +environments such as Docker containers where writing files is not encouraged, +you can include the credentials file itself. -To configure your system for this, simply: +The JSON file can contain credentials created for +[workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation), +[workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation), or a +[service account key](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key). -1. [Download and install the Cloud SDK](https://cloud.google.com/sdk) -2. Authenticate using OAuth 2.0 `$ gcloud auth application-default login` -3. Write code as if already authenticated. +Note: Service account keys are a security risk if not managed correctly. You should +[choose a more secure alternative to service account keys](https://cloud.google.com/docs/authentication#auth-decision-tree) +whenever possible. + +The environment variables that google-identity-access_context_manager +checks for credentials are: -**NOTE:** This is _not_ recommended for running in production. The Cloud SDK -*should* only be used during development. +* `GOOGLE_CLOUD_CREDENTIALS` - Path to JSON file, or JSON contents +* `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file -## Creating a Service Account +```ruby +require "google/identity/access_context_manager" -Google Cloud requires **Service Account Credentials** to -connect to the APIs. You will use the **JSON key file** to -connect to most services with google-identity-access_context_manager. +ENV["GOOGLE_APPLICATION_CREDENTIALS"] = "path/to/credentialfile.json" -If you are not running this client within -[Google Cloud Platform environments](#google-cloud-platform-environments), you -need a Google Developers service account. +client = Google::Identity::AccessContextManager.access_context_manager +``` -1. Visit the [Google Cloud Console](https://console.cloud.google.com/project). -2. Create a new project or click on an existing project. -3. Activate the menu in the upper left and select **APIs & Services**. From - here, you will enable the APIs that your application requires. +### Local ADC file - *Note: You may need to enable billing in order to use these services.* +You can set up a local ADC file with your user credentials for authentication during +development. If credentials are not provided in code or in environment variables, +then the local ADC credentials are discovered. -4. Select **Credentials** from the side navigation. +Follow the steps in [Quickstart](#quickstart) to set up a local ADC file. - Find the "Create credentials" drop down near the top of the page, and select - "Service account" to be guided through downloading a new JSON key file. +### Google Cloud Platform environments - If you want to re-use an existing service account, you can easily generate a - new key file. Just select the account you wish to re-use, click the pencil - tool on the right side to edit the service account, select the **Keys** tab, - and then select **Add Key**. +When running on Google Cloud Platform (GCP), including Google Compute Engine +(GCE), Google Kubernetes Engine (GKE), Google App Engine (GAE), Google Cloud +Functions (GCF) and Cloud Run, credentials are retrieved from the attached +service account automatically. Code should be written as if already authenticated. - The key file you download will be used by this library to authenticate API - requests and should be stored in a secure location. +For more information, see +[Set up ADC for Google Cloud services](https://cloud.google.com/docs/authentication/provide-credentials-adc#attached-sa).