google-cloud-dotnet icon indicating copy to clipboard operation
google-cloud-dotnet copied to clipboard

Published 20 hours ago verified publisher icon googleapis

Tricky to use custom credentials with Spanner

Open jskeet opened this issue 2 years ago • 3 comments

Currently there are two ways to specify non-default credentials for SpannerConnection:

  • Set SpannerConnectionStringBuilder.CredentialFile
  • Pass a ChannelCredentials into the constructor of SpannerConnection

We previously didn't want to expose GoogleCredential etc in case we move away from Google.Apis.Auth, but with GAX v4 we reversed that policy. We should look at exposing custom credentials via SpannerConnectionStringBuilder constructors and properties. (It's slightly tricky as it can't really be in the connection string itself, but we clearly have a way with ChannelCredentials already.)

jskeet avatar Jul 21 '22 10:07 jskeet

Idea: Allow the fully qualified name of an Func<GoogleCredential> on the connection string builder, and that could be in the connection string itself.

amanda-tarafa avatar Jul 21 '22 10:07 amanda-tarafa

Hmm... I'm not sure about executing arbitrary code based on the connection string. Sounds like a security issue waiting to happen.

jskeet avatar Jul 21 '22 10:07 jskeet

Yep, that's a good point.

Another idea: Provide a utility to inject the ConnectionStringBuilder and we then can fetch the credential from DI. And we can even read the connection string from configuration in that case, if it's present.

amanda-tarafa avatar Jul 21 '22 11:07 amanda-tarafa