-
|
I'm working on a standalone library that will be used by other teams. This library integrates multiple google cloud clients to query/pull/push/write data using multiple services (e.g. storage, bigquery, bigtable, etc.). I simply want to provide the library to the end user, they will integrate it into their application and use it. Credentials cannot be shared with the final user of the library. The production environment is controlled by the final user, thus environment variables and json files are not an option. What's the best practice to let my library authenticate and use the services in this scenario? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
I am not sure I understand the question, apologies if I missed something. Presumably the consumers of your library have their own credentials to authenticate with Google Cloud Platform. So much like we do for the libraries in You could expose the namespace my_lib {
class Client; // defined elsewhere.
Client MakeClient(std::shared_ptr<google::cloud::Credentials> credentials) {
auto options = google::cloud::Options{}.set<google::cloud::UnifiedCredentialsOption>(std::move(credentials));
auto gcs = google::cloud::storage::Client(options);
auto publisher = google::cloud::pubsub::Publisher(google::cloud::pubsub::MakePublisherConnection(Topic(...), options));
return SecretFactoryFunction(std::move(gcs), std::move(publisher));
}
}There may be good reasons why you don't want to expose If the consumers of your library don't have their own credentials, then I am not sure there is a "best practice". You cannot authenticate without |
Beta Was this translation helpful? Give feedback.
-
|
Thanks a lot for the answer and sorry if the question/topic wasn't fully clear. Let me add some additional information for you to get a better picture of the scenario and library usage. Some clarifications:
Some additional info about the library that might be useful:
So the question is: how can I authenticate in the descripted scenario? i.e. without using environment variables or providing the credentials |
Beta Was this translation helpful? Give feedback.
-
|
I do not think any of us working in the C++ client libraries would claims to be an expert in security or authentication. You may be better off asking in other forums. I would encourage you to read the Overview of identity and access management, particularly the sections on how to use an external identity provider and also read about workload identity federation. With that said, let me try to help. I am going to assume that you have some mechanism to authenticate your users. Something to stop any random person that gets access to your library code from running the library and accessing GCP services as if they were one of the authorized users. Firebase may be an alternative in that case. The C++ client libraries are not designed to work in that case. If you do have such a mechanism then you may want to consider workload identity federation. Basically you can get GCP to trust the authentication in the system you already use. Currently the C++ client libraries do not support workload identity federation (in some rare cases you can tunnel the gRPC credentials), but I expect this will be fixed during 2022-Q4. As a workaround: we do support access tokens, and you could use the algorithm described in: https://google.aip.dev/auth/4117 to create such access tokens. |
Beta Was this translation helpful? Give feedback.
-
|
Got it, I will take a look. Thanks a lot! |
Beta Was this translation helpful? Give feedback.
I am not sure I understand the question, apologies if I missed something.
Presumably the consumers of your library have their own credentials to authenticate with Google Cloud Platform. So much like we do for the libraries in
google-cloud-cppyour library would need to have options to set these credentials. How would they do so? Well, that depends on the API you want to expose.You could expose the
google::cloud::Credentialsdirectly to them, so your library could do something like: