Add support for non-service-account credential files when run as a bi…

…nary. (#217) For example, gcloud's credential files will have either type authorized_user or service_account. JWTConfigFromJSON only supports service accounts, while CredentialsFromJSON supports both service accounts and authorized users. This was tested with a regular gmail account and a service account using the legacy JSON auth files created by gcloud in .config/gcloud/legacy_credentials/*/adc.json
GoogleCloudPlatform · Oct 1, 2018 · 3236ed5 · 3236ed5
1 parent df72c3c
commit 3236ed5
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/cmd/cloud_sql_proxy/cloud_sql_proxy.go b/cmd/cloud_sql_proxy/cloud_sql_proxy.go
@@ -265,12 +265,18 @@ func authenticatedClient(ctx context.Context) (*http.Client, error) {
 		if err != nil {
 			return nil, fmt.Errorf("invalid json file %q: %v", f, err)
 		}
-		cfg, err := goauth.JWTConfigFromJSON(all, proxy.SQLScope)
+		// First try and load this as a service account config, which allows us to see the service account email:
+		if cfg, err := goauth.JWTConfigFromJSON(all, proxy.SQLScope); err == nil {
+			logging.Infof("using credential file for authentication; email=%s", cfg.Email)
+			return cfg.Client(ctx), nil
+		}
+
+		cred, err := goauth.CredentialsFromJSON(ctx, all, proxy.SQLScope)
 		if err != nil {
 			return nil, fmt.Errorf("invalid json file %q: %v", f, err)
 		}
-		logging.Infof("using credential file for authentication; email=%s", cfg.Email)
-		return cfg.Client(ctx), nil
+		logging.Infof("using credential file for authentication; path=%q", f)
+		return oauth2.NewClient(ctx, cred.TokenSource), nil
 	} else if tok := *token; tok != "" {
 		src := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: tok})
 		return oauth2.NewClient(ctx, src), nil