Skip to content

Commit

Permalink
add support to use application default credentials to gcs storage bac…
Browse files Browse the repository at this point in the history
…kend (hashicorp#3257)
  • Loading branch information
stephansnyt authored and jefferai committed Aug 30, 2017
1 parent 5e148ac commit 55fa69a
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 19 deletions.
43 changes: 27 additions & 16 deletions physical/gcs/gcs.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,26 +42,14 @@ func NewGCSBackend(conf map[string]string, logger log.Logger) (physical.Backend,
}
}

// path to service account JSON file
credentialsFile := os.Getenv("GOOGLE_APPLICATION_CREDENTIALS")
if credentialsFile == "" {
credentialsFile = conf["credentials_file"]
if credentialsFile == "" {
return nil, fmt.Errorf("env var GOOGLE_APPLICATION_CREDENTIALS or configuration parameter 'credentials_file' must be set")
}
}

client, err := storage.NewClient(
context.Background(),
option.WithServiceAccountFile(credentialsFile),
)

ctx := context.Background()
client, err := newGCSClient(ctx, conf, logger)
if err != nil {
return nil, fmt.Errorf("error establishing storage client: '%v'", err)
return nil, errwrap.Wrapf("error establishing strorage client: {{err}}", err)
}

// check client connectivity by getting bucket attributes
_, err = client.Bucket(bucketName).Attrs(context.Background())
_, err = client.Bucket(bucketName).Attrs(ctx)
if err != nil {
return nil, fmt.Errorf("unable to access bucket '%s': '%v'", bucketName, err)
}
Expand All @@ -88,6 +76,29 @@ func NewGCSBackend(conf map[string]string, logger log.Logger) (physical.Backend,
return &g, nil
}

func newGCSClient(ctx context.Context, conf map[string]string, logger log.Logger) (*storage.Client, error) {
// if credentials_file is configured, try to use it
// else use application default credentials
credentialsFile, ok := conf["credentials_file"]
if ok {
client, err := storage.NewClient(
ctx,
option.WithServiceAccountFile(credentialsFile),
)

if err != nil {
return nil, fmt.Errorf("error with provided credentials: '%v'", err)
}
return client, nil
}

client, err := storage.NewClient(ctx)
if err != nil {
return nil, errwrap.Wrapf("error with application default credentials: {{err}}", err)
}
return client, nil
}

// Put is used to insert or update an entry
func (g *GCSBackend) Put(entry *physical.Entry) error {
defer metrics.MeasureSince([]string{"gcs", "put"}, time.Now())
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,10 @@ storage "gcs" {
account must have permission to read, write, and delete from the bucket. This
can also be provided via the environment variable `GOOGLE_STORAGE_BUCKET`.

- `credentials_file` `(string: <required>)` – Specifies the path on disk to a
- `credentials_file` `(string: "<varies>")` – Specifies the path on disk to a
Google Cloud Platform [service account][gcs-service-account] private key file
in [JSON format][gcs-private-key]. This can also be provided via the
environment variable `GOOGLE_APPLICATION_CREDENTIALS`.
in [JSON format][gcs-private-key]. The GCS client library will attempt to use
the [application default credentials][adc] if this is not specified.

- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
requests.
Expand All @@ -55,6 +55,7 @@ storage "gcs" {
}
```

[adc]: https://developers.google.com/identity/protocols/application-default-credentials
[gcs]: https://cloud.google.com/storage/
[gcs-service-account]: https://cloud.google.com/compute/docs/access/service-accounts
[gcs-private-key]: https://cloud.google.com/storage/docs/authentication#generating-a-private-key

0 comments on commit 55fa69a

Please sign in to comment.