Deprioritize GCloudAuthorizedUser

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "gcp_auth"
-version = "0.8.1"
+version = "0.9.0"
 repository = "https://github.com/hrvolapeter/gcp_auth"
 description = "Google cloud platform (GCP) authentication using default and custom service accounts"
 documentation = "https://docs.rs/gcp_auth/"

README.md

@@ -23,10 +23,11 @@ The library supports the following methods of retrieving tokens in the listed pr
 1. Reading custom service account credentials from the path pointed to by the
    `GOOGLE_APPLICATION_CREDENTIALS` environment variable. Alternatively, custom service
    account credentials can be read from a JSON file or string.
-2. Retrieving a token from the `gcloud` CLI tool, if it is available on the `PATH`.
+2. Look for credentials in `.config/gcloud/application_default_credentials.json`;
+   if found, use these credentials to request refresh tokens. This file can be created
+   by invoking `gcloud auth application-default login`.
 3. Use the default service account by retrieving a token from the metadata server.
-4. Look for credentials in `.config/gcloud/application_default_credentials.json`;
-   if found, use these credentials to request refresh tokens.
+4. Retrieving a token from the `gcloud` CLI tool, if it is available on the `PATH`.
 
 For more detailed information and examples, see the [docs][docs-url].
 

src/authentication_manager.rs

@@ -2,8 +2,8 @@ use async_trait::async_trait;
 use tokio::sync::Mutex;
 
 use crate::custom_service_account::CustomServiceAccount;
-use crate::default_authorized_user::DefaultAuthorizedUser;
-use crate::default_service_account::DefaultServiceAccount;
+use crate::default_authorized_user::ConfigDefaultCredentials;
+use crate::default_service_account::MetadataServiceAccount;
 use crate::error::Error;
 use crate::gcloud_authorized_user::GCloudAuthorizedUser;
 use crate::types::{self, HyperClient, Token};
@@ -34,12 +34,12 @@ impl AuthenticationManager {
     ///
     /// 1. Check if the `GOOGLE_APPLICATION_CREDENTIALS` environment variable if set;
     ///    if so, use a custom service account as the token source.
-    /// 2. Check if the `gcloud` tool is available on the `PATH`; if so, use the
-    ///    `gcloud auth print-access-token` command as the token source.
+    /// 2. Look for credentials in `.config/gcloud/application_default_credentials.json`;
+    ///    if found, use these credentials to request refresh tokens.
     /// 3. Send a HTTP request to the internal metadata server to retrieve a token;
     ///    if it succeeds, use the default service account as the token source.
-    /// 4. Look for credentials in `.config/gcloud/application_default_credentials.json`;
-    ///    if found, use these credentials to request refresh tokens.
+    /// 4. Check if the `gcloud` tool is available on the `PATH`; if so, use the
+    ///    `gcloud auth print-access-token` command as the token source.
     #[tracing::instrument]
     pub async fn new() -> Result<Self, Error> {
         tracing::debug!("Initializing gcp_auth");
@@ -48,25 +48,25 @@ impl AuthenticationManager {
         }
 
         let client = types::client();
-        let gcloud_error = match GCloudAuthorizedUser::new().await {
+        let default_user_error = match ConfigDefaultCredentials::new(&client).await {
             Ok(service_account) => {
-                tracing::debug!("Using GCloudAuthorizedUser");
+                tracing::debug!("Using ConfigDefaultCredentials");
                 return Ok(Self::build(client, service_account));
             }
             Err(e) => e,
         };
 
-        let default_service_error = match DefaultServiceAccount::new(&client).await {
+        let default_service_error = match MetadataServiceAccount::new(&client).await {
             Ok(service_account) => {
-                tracing::debug!("Using DefaultServiceAccount");
+                tracing::debug!("Using MetadataServiceAccount");
                 return Ok(Self::build(client, service_account));
             }
             Err(e) => e,
         };
 
-        let default_user_error = match DefaultAuthorizedUser::new(&client).await {
+        let gcloud_error = match GCloudAuthorizedUser::new().await {
             Ok(service_account) => {
-                tracing::debug!("Using DefaultAuthorizedUser");
+                tracing::debug!("Using GCloudAuthorizedUser");
                 return Ok(Self::build(client, service_account));
             }
             Err(e) => e,

src/default_authorized_user.rs

@@ -12,12 +12,12 @@ use crate::types::{HyperClient, Token};
 use crate::util::HyperExt;
 
 #[derive(Debug)]
-pub(crate) struct DefaultAuthorizedUser {
+pub(crate) struct ConfigDefaultCredentials {
     token: RwLock<Token>,
     credentials: UserCredentials,
 }
 
-impl DefaultAuthorizedUser {
+impl ConfigDefaultCredentials {
     const DEFAULT_TOKEN_GCP_URI: &'static str = "https://accounts.google.com/o/oauth2/token";
     const USER_CREDENTIALS_PATH: &'static str =
         ".config/gcloud/application_default_credentials.json";
@@ -77,7 +77,7 @@ impl DefaultAuthorizedUser {
 }
 
 #[async_trait]
-impl ServiceAccount for DefaultAuthorizedUser {
+impl ServiceAccount for ConfigDefaultCredentials {
     async fn project_id(&self, _: &HyperClient) -> Result<String, Error> {
         self.credentials
             .quota_project_id

src/default_service_account.rs

@@ -11,11 +11,11 @@ use crate::types::{HyperClient, Token};
 use crate::util::HyperExt;
 
 #[derive(Debug)]
-pub(crate) struct DefaultServiceAccount {
+pub(crate) struct MetadataServiceAccount {
     token: RwLock<Token>,
 }
 
-impl DefaultServiceAccount {
+impl MetadataServiceAccount {
     const DEFAULT_PROJECT_ID_GCP_URI: &'static str =
         "http://metadata.google.internal/computeMetadata/v1/project/project-id";
     const DEFAULT_TOKEN_GCP_URI: &'static str = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
@@ -61,7 +61,7 @@ impl DefaultServiceAccount {
 }
 
 #[async_trait]
-impl ServiceAccount for DefaultServiceAccount {
+impl ServiceAccount for MetadataServiceAccount {
     async fn project_id(&self, client: &HyperClient) -> Result<String, Error> {
         tracing::debug!("Getting project ID from GCP instance metadata server");
         let req = Self::build_token_request(Self::DEFAULT_PROJECT_ID_GCP_URI);

src/lib.rs

@@ -10,10 +10,11 @@
 //! 1. Reading custom service account credentials from the path pointed to by the
 //!    `GOOGLE_APPLICATION_CREDENTIALS` environment variable. Alternatively, custom service
 //!    account credentials can be read from a JSON file or string.
-//! 2. Retrieving a token from the `gcloud` CLI tool, if it is available on the `PATH`.
+//! 2. Look for credentials in `.config/gcloud/application_default_credentials.json`;
+//!    if found, use these credentials to request refresh tokens. This file can be created
+//!    by invoking `gcloud auth application-default login`.
 //! 3. Use the default service account by retrieving a token from the metadata server.
-//! 4. Look for credentials in `.config/gcloud/application_default_credentials.json`;
-//!    if found, use these credentials to request refresh tokens.
+//! 4. Retrieving a token from the `gcloud` CLI tool, if it is available on the `PATH`.
 //!
 //! For more details, see [`AuthenticationManager::new()`].
 //!