Brad Fitzpatrick 5524b9ef25 all: stop using service accounts, prefer user creds It's better to authenticate with an identity (e.g. foo@google.com), rather than all of us copy/pasting a service account JSON (a glorified access token) around and the server not knowing who's who. I was previously misled into using service accounts because the gcloud tool (when run on a GCE VM) strongly urges you not to use user accounts and says you should be using service accounts instead. But turns out that's because it assumes you'd never use GCE for development and only for deployment. That is, gcloud assumes you'd only use gcloud on desktop/laptop, and then deploy your binary to GCE where the application itself would use service accounts. (We do use service accounts for the application, but I also develop on a GCE VM.) Also, the precursor helper function to FindDefaultCredentials (for "Application Default Credentials") had a different search order for credentials and prefered the GCE VM's service account instead of the user-specific credentials. Now that FindDefaultCredentials uses a good order we can remove some of our old complexity. Change-Id: Ia888e264cfb88e977f3ff1a3a4bb583db70466ab Reviewed-on: https://go-review.googlesource.com/129416 Reviewed-by: Andrew Bonventre <andybons@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>	2018-08-15 17:50:03 +00:00
..
README.md	all: add README.md files where missing, and tool to keep them updated	2017-08-02 22:17:52 +00:00
upload.go	all: stop using service accounts, prefer user creds	2018-08-15 17:50:03 +00:00

Brad Fitzpatrick 5524b9ef25 all: stop using service accounts, prefer user creds

It's better to authenticate with an identity (e.g. foo@google.com),
rather than all of us copy/pasting a service account JSON (a glorified
access token) around and the server not knowing who's who.

I was previously misled into using service accounts because the gcloud
tool (when run on a GCE VM) strongly urges you not to use user
accounts and says you should be using service accounts instead. But
turns out that's because it assumes you'd never use GCE for
development and only for deployment. That is, gcloud assumes you'd
only use gcloud on desktop/laptop, and then deploy your binary to GCE
where the application itself would use service accounts. (We do use
service accounts for the application, but I also develop on a GCE VM.)

Also, the precursor helper function to FindDefaultCredentials (for
"Application Default Credentials") had a different search order for
credentials and prefered the GCE VM's service account instead of the
user-specific credentials. Now that FindDefaultCredentials uses a good
order we can remove some of our old complexity.

Change-Id: Ia888e264cfb88e977f3ff1a3a4bb583db70466ab
Reviewed-on: https://go-review.googlesource.com/129416
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>

2018-08-15 17:50:03 +00:00

README.md

all: add README.md files where missing, and tool to keep them updated

2017-08-02 22:17:52 +00:00

upload.go

all: stop using service accounts, prefer user creds

2018-08-15 17:50:03 +00:00

README.md

golang.org/x/build/cmd/upload

The upload command writes a file to Google Cloud Storage.