example-gauth: Use application default creds instead of file argument (…

…grpc#11595) Also removed unnecessary refreshAccessToken() and fixed the reference to README.md. Fixes grpc#5677
larry-safran · Oct 4, 2024 · 94a0a0d · 94a0a0d
1 parent 35f0d56
commit 94a0a0d
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 25 deletions.
diff --git a/examples/example-gauth/README.md b/examples/example-gauth/README.md
@@ -43,13 +43,13 @@ gcloud pubsub topics create Topic1
 5. You will now need to set up [authentication](https://cloud.google.com/docs/authentication/) and a
 [service account](https://cloud.google.com/docs/authentication/#service_accounts) in order to access
 Pub/Sub via gRPC APIs as described [here](https://cloud.google.com/iam/docs/creating-managing-service-accounts).
-Assign the [role](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts) `Project -> Owner`
+(**Note:** This step is unnecessary on Google platforms (Google App Engine / Google Cloud Shell / Google Compute Engine) as it will
+automatically use the in-built Google credentials). Assign the [role](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts) `Project -> Owner`
 and for Key type select JSON. Once you click `Create`, a JSON file containing your key is downloaded to
 your computer. Note down the path of this file or copy this file to the computer and file system where
 you will be running the example application as described later. Assume this JSON file is available at
-`/path/to/JSON/file`. You can also use the `gcloud` shell commands to
-[create the service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-gcloud)
-and [the JSON file](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-gcloud).
+`/path/to/JSON/file` Set the value of the environment variable GOOGLE_APPLICATION_CREDENTIALS to this file path. You can also use the `gcloud` shell commands to
+[create the service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-gcloud).
 
 #### To build the examples
 
@@ -62,19 +62,18 @@ $ ../gradlew installDist
 
 
 #### How to run the example:
-`google-auth-client` requires two command line arguments for the location of the JSON file and the project ID:
+`google-auth-client` requires one command line argument for the project ID:
 
  ```text
-USAGE: GoogleAuthClient <path-to-JSON-file> <project-ID>
+USAGE: GoogleAuthClient <project-ID>
 ```
 
-The first argument <path-to-JSON-file> is the location of the JSON file you created in step 5 above.
-The second argument <project-ID> is the project ID in the form "projects/xyz123" where "xyz123" is
+The first argument <project-ID> is the project ID in the form "projects/xyz123" where "xyz123" is
 the project ID of the project you created (or used) in step 2 above.
 
  ```bash
 # Run the client
-./build/install/example-gauth/bin/google-auth-client /path/to/JSON/file projects/xyz123
+./build/install/example-gauth/bin/google-auth-client projects/xyz123
 ```
  That's it! The client will show the list of Pub/Sub topics for the project as follows:
 
@@ -93,13 +92,13 @@ the project ID of the project you created (or used) in step 2 above.
  ```
  $ mvn verify
  $ # Run the client
- $ mvn exec:java -Dexec.mainClass=io.grpc.examples.googleAuth.GoogleAuthClient -Dexec.args="/path/to/JSON/file projects/xyz123"
+ $ mvn exec:java -Dexec.mainClass=io.grpc.examples.googleAuth.GoogleAuthClient -Dexec.args="projects/xyz123"
  ```
 
  ## Bazel
  If you prefer to use Bazel:
  ```
  $ bazel build :google-auth-client
  $ # Run the client
- $ ../bazel-bin/google-auth-client /path/to/JSON/file projects/xyz123
+ $ ../bazel-bin/google-auth-client projects/xyz123
  ```
diff --git a/examples/example-gauth/src/main/java/io/grpc/examples/googleAuth/GoogleAuthClient.java b/examples/example-gauth/src/main/java/io/grpc/examples/googleAuth/GoogleAuthClient.java
@@ -33,7 +33,7 @@
 
 /**
  * Example to illustrate use of Google credentials as described in
- * @see <a href="../../../../../../GOOGLE_AUTH_EXAMPLE.md">Google Auth Example README</a>
+ * @see <a href="../../../../../../README.md">Google Auth Example README</a>
  *
  * Also @see <a href="https://cloud.google.com/pubsub/docs/reference/rpc/">Google Cloud Pubsub via gRPC</a>
  */
@@ -52,7 +52,7 @@ public class GoogleAuthClient {
    *
    * @param host  host to connect to - typically "pubsub.googleapis.com"
    * @param port  port to connect to - typically 443 - the TLS port
-   * @param callCredentials  the Google call credentials created from a JSON file
+   * @param callCredentials  the Google call credentials
    */
   public GoogleAuthClient(String host, int port, CallCredentials callCredentials) {
     // Google API invocation requires a secure channel. Channels are secure by default (SSL/TLS)
@@ -63,7 +63,7 @@ public GoogleAuthClient(String host, int port, CallCredentials callCredentials)
    * Construct our gRPC client that connects to the pubsub server using an existing channel.
    *
    * @param channel    channel that has been built already
-   * @param callCredentials  the Google call credentials created from a JSON file
+   * @param callCredentials  the Google call credentials
    */
   GoogleAuthClient(ManagedChannel channel, CallCredentials callCredentials) {
     this.channel = channel;
@@ -101,32 +101,30 @@ public void getTopics(String projectID) {
 
   /**
    * The app requires 2 arguments as described in
-   * @see <a href="../../../../../../GOOGLE_AUTH_EXAMPLE.md">Google Auth Example README</a>
+   * @see <a href="../../../../../../README.md">Google Auth Example README</a>
    *
-   * arg0 = location of the JSON file for the service account you created in the GCP console
-   * arg1 = project name in the form "projects/balmy-cirrus-225307" where "balmy-cirrus-225307" is
+   * arg0 = project name in the form "projects/balmy-cirrus-225307" where "balmy-cirrus-225307" is
    *        the project ID for the project you created.
    *
+   * On non-Google platforms, the GOOGLE_APPLICATION_CREDENTIALS env variable should be set to the
+   * location of the JSON file for the service account you created in the GCP console.
    */
   public static void main(String[] args) throws Exception {
-    if (args.length < 2) {
-      logger.severe("Usage: please pass 2 arguments:\n" +
-                    "arg0 = location of the JSON file for the service account you created in the GCP console\n" +
-                    "arg1 = project name in the form \"projects/xyz\" where \"xyz\" is the project ID of the project you created.\n");
+    if (args.length < 1) {
+      logger.severe("Usage: please pass 1 argument:\n" +
+                    "arg0 = project name in the form \"projects/xyz\" where \"xyz\" is the project ID of the project you created.\n");
       System.exit(1);
     }
-    GoogleCredentials credentials = GoogleCredentials.fromStream(new FileInputStream(args[0]));
+    GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
 
     // We need to create appropriate scope as per https://cloud.google.com/storage/docs/authentication#oauth-scopes
     credentials = credentials.createScoped(Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
 
-    // credentials must be refreshed before the access token is available
-    credentials.refreshAccessToken();
     GoogleAuthClient client =
             new GoogleAuthClient("pubsub.googleapis.com", 443, MoreCallCredentials.from(credentials));
 
     try {
-      client.getTopics(args[1]);
+      client.getTopics(args[0]);
     } finally {
       client.shutdown();
     }