diff --git a/cmd/root.go b/cmd/root.go index 79fe1f0c7..6597bd5ff 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -377,7 +377,11 @@ func NewCommand(opts ...Option) *Command { pflags.StringVarP(&c.conf.CredentialsJSON, "json-credentials", "j", "", "Use service account key JSON as a source of IAM credentials.") pflags.BoolVarP(&c.conf.GcloudAuth, "gcloud-auth", "g", false, - "Use gcloud's user credentials as a source of IAM credentials.") + `Use gcloud's user credentials as a source of IAM credentials. +NOTE: this flag is a legacy feature and generally should not be used. +Instead prefer Application Default Credentials +(enabled with: gcloud auth application-default login) which +the Proxy will then pick-up automatically.`) pflags.BoolVarP(&c.conf.StructuredLogs, "structured-logs", "l", false, "Enable structured logging with LogEntry format") pflags.Uint64Var(&c.conf.MaxConnections, "max-connections", 0, @@ -522,7 +526,12 @@ func parseConfig(cmd *Command, conf *proxy.Config, args []string) error { if conf.IAMAuthN && conf.Token != "" && conf.LoginToken == "" { return newBadCommandError("cannot specify --auto-iam-authn and --token without --login-token") } - if conf.LoginToken != "" && (conf.Token == "" || !conf.IAMAuthN) { + if conf.IAMAuthN && conf.GcloudAuth { + return newBadCommandError(`cannot use --auto-iam-authn with --gcloud-auth. +Instead use Application Default Credentials (enabled with: gcloud auth application-default login) +and re-try with just --auto-iam-authn`) + } + if conf.LoginToken != "" && !conf.GcloudAuth && (conf.Token == "" || !conf.IAMAuthN) { return newBadCommandError("cannot specify --login-token without --token and --auto-iam-authn") } diff --git a/cmd/root_test.go b/cmd/root_test.go index a610a7019..540a88fe4 100644 --- a/cmd/root_test.go +++ b/cmd/root_test.go @@ -951,6 +951,12 @@ func TestNewCommandWithErrors(t *testing.T) { "--token", "my-token", "--gcloud-auth", "proj:region:inst"}, }, + { + desc: "when both gcloud auth and auto-iam-authn are set", + args: []string{ + "--auto-iam-authn", + "--gcloud-auth", "proj:region:inst"}, + }, { desc: "when both gcloud auth and credentials file are set", args: []string{