Improve local user experience for User Credentials
TimurSadykov opened this issue · 7 comments
This is part of the bigger work go/simplified-local-adc
User Credentials are now recommended for local development per go/mitigating-cloud-auth-risk
However, some errors and warnings still refer to service accounts (see section 1.2 of the go/simplified-local-adc):
- When user does not have credential setup, we do not recommend setting up service account, rather we redirect to a new ADC setup page.
- (if implemented)We show warning about user credentials only if production environment is detected
Reference Java fix: googleapis/google-auth-library-java#1172
Added some comments to the PR, please revisit. Sorry is any confusion.
@bajajneha27
👋 @TimurSadykov - the linked documentation at https://goto.google.com/mitigating-cloud-auth-risk appears to be available for people with @google.com email addresses only. Is there a documentation reference that is available on the public internet?
Context for why I am interested: I started seeing this error locally. Our team recently switched our dev documentation to recommend application default credentials for local development (we previously recommended service account credentials). I want to make sure that out documented recommendation is in line with what google recommends.
@jessieay Sorry for a delay, but looks like you have it resolved ) Let me know if any issues with those.
@TimurSadykov Thanks for getting back to me.
Would it be possible to update the error message so that it points to a publicly available URL instead of https://goto.google.com/mitigating-cloud-auth-risk ? Pointing to a private URL in an error message is confusing and having a documentation link with more context would be very helpful for anyone seeing this error who does not work at Google.
@jessieay I would happy to help, but I don't see the referenced link in the code, do you have a link? Related PRs use public links. GitHub search also does not find any occurrences of the link in googleapis. Please re-confirm you keep seeing the error locally with the latest library. thanks!
@TimurSadykov oops sorry I actually misremembered the situation here. The error message I saw was:
Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about service accounts, see https://cloud.google.com/docs/authentication/. To suppress this message, set the GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.
And I found this issue while trying to learn more about the error. But the links you posted in the issue description are all on the goto.google.com subdomain, which I cannot view unless I log in with a google.com email address:
So, the request was if you could share publicly available links instead of the ones in the issue description
Hey @jessieay, sorry for a delay again. The older message was an outdated recommendation. Here is a public doc that describes why using Service Accounts locally is no longer recommended and describes alternatives. Let me know if you have any questions :)