From aa7a1155d01e8e023b4c29e4320df64d145b6d3b Mon Sep 17 00:00:00 2001 From: Anton Troshin Date: Sun, 13 Apr 2025 14:51:58 -0500 Subject: [PATCH] Update documentation for GCP Secret Manager and Object Store support of implicit authentication (#4592) Signed-off-by: Anton Troshin Co-authored-by: Mark Fussell --- .../supported-bindings/gcpbucket.md | 25 +++++++++++------- .../supported-pubsub/setup-gcp-pubsub.md | 2 +- .../gcp-secret-manager.md | 26 ++++++++++++------- 3 files changed, 32 insertions(+), 21 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-bindings/gcpbucket.md b/daprdocs/content/en/reference/components-reference/supported-bindings/gcpbucket.md index f2d14d320..4aff149d3 100644 --- a/daprdocs/content/en/reference/components-reference/supported-bindings/gcpbucket.md +++ b/daprdocs/content/en/reference/components-reference/supported-bindings/gcpbucket.md @@ -58,19 +58,24 @@ The above example uses secrets as plain strings. It is recommended to use a secr | Field | Required | Binding support | Details | Example | |--------------------|:--------:|------------|-----|---------| | `bucket` | Y | Output | The bucket name | `"mybucket"` | -| `type` | Y | Output | Tge GCP credentials type | `"service_account"` | -| `project_id` | Y | Output | GCP project id| `projectId` -| `private_key_id` | Y | Output | GCP private key id | `"privateKeyId"` -| `private_key` | Y | Output | GCP credentials private key. Replace with x509 cert | `12345-12345` -| `client_email` | Y | Output | GCP client email | `"client@email.com"` -| `client_id` | Y | Output | GCP client id | `0123456789-0123456789` -| `auth_uri` | Y | Output | Google account OAuth endpoint | `https://accounts.google.com/o/oauth2/auth` -| `token_uri` | Y | Output | Google account token uri | `https://oauth2.googleapis.com/token` -| `auth_provider_x509_cert_url` | Y | Output | GCP credentials cert url | `https://www.googleapis.com/oauth2/v1/certs` -| `client_x509_cert_url` | Y | Output | GCP credentials project x509 cert url | `https://www.googleapis.com/robot/v1/metadata/x509/.iam.gserviceaccount.com` +| `project_id` | Y | Output | GCP project ID | `projectId` | +| `type` | N | Output | The GCP credentials type | `"service_account"` | +| `private_key_id` | N | Output | If using explicit credentials, this field should contain the `private_key_id` field from the service account json document | `"privateKeyId"` | +| `private_key` | N | Output | If using explicit credentials, this field should contain the `private_key` field from the service account json. Replace with x509 cert | `12345-12345` | +| `client_email` | N | Output | If using explicit credentials, this field should contain the `client_email` field from the service account json | `"client@email.com"` | +| `client_id` | N | Output | If using explicit credentials, this field should contain the `client_id` field from the service account json | `0123456789-0123456789` | +| `auth_uri` | N | Output | If using explicit credentials, this field should contain the `auth_uri` field from the service account json | `https://accounts.google.com/o/oauth2/auth` | +| `token_uri` | N | Output | If using explicit credentials, this field should contain the `token_uri` field from the service account json | `https://oauth2.googleapis.com/token`| +| `auth_provider_x509_cert_url` | N | Output | If using explicit credentials, this field should contain the `auth_provider_x509_cert_url` field from the service account json | `https://www.googleapis.com/oauth2/v1/certs`| +| `client_x509_cert_url` | N | Output | If using explicit credentials, this field should contain the `client_x509_cert_url` field from the service account json | `https://www.googleapis.com/robot/v1/metadata/x509/.iam.gserviceaccount.com`| | `decodeBase64` | N | Output | Configuration to decode base64 file content before saving to bucket storage. (In case of saving a file with binary content). `true` is the only allowed positive value. Other positive variations like `"True", "1"` are not acceptable. Defaults to `false` | `true`, `false` | | `encodeBase64` | N | Output | Configuration to encode base64 file content before return the content. (In case of opening a file with binary content). `true` is the only allowed positive value. Other positive variations like `"True", "1"` are not acceptable. Defaults to `false` | `true`, `false` | +## GCP Credentials + +Since the GCP Storage Bucket component uses the GCP Go Client Libraries, by default it authenticates using **Application Default Credentials**. This is explained further in the [Authenticate to GCP Cloud services using client libraries](https://cloud.google.com/docs/authentication/client-libraries) guide. +Also, see how to [Set up Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc). + ## Binding support This component supports **output binding** with the following operations: diff --git a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-gcp-pubsub.md b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-gcp-pubsub.md index 088126b1c..849f11863 100644 --- a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-gcp-pubsub.md +++ b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-gcp-pubsub.md @@ -76,7 +76,7 @@ The above example uses secrets as plain strings. It is recommended to use a secr | Field | Required | Details | Example | |--------------------|:--------:|---------|---------| -| projectId | Y | GCP project id| `myproject-123` +| projectId | Y | GCP project ID | `myproject-123` | endpoint | N | GCP endpoint for the component to use. Only used for local development (for example) with [GCP Pub/Sub Emulator](https://cloud.google.com/pubsub/docs/emulator). The `endpoint` is unnecessary when running against the GCP production API. | `"http://localhost:8085"` | `consumerID` | N | The Consumer ID organizes one or more consumers into a group. Consumers with the same consumer ID work as one virtual consumer; for example, a message is processed only once by one of the consumers in the group. If the `consumerID` is not provided, the Dapr runtime set it to the Dapr application ID (`appID`) value. The `consumerID`, along with the `topic` provided as part of the request, are used to build the Pub/Sub subscription ID | Can be set to string value (such as `"channel1"`) or string format value (such as `"{podName}"`, etc.). [See all of template tags you can use in your component metadata.]({{< ref "component-schema.md#templated-metadata-values" >}}) | identityProjectId | N | If the GCP pubsub project is different from the identity project, specify the identity project using this attribute | `"myproject-123"` diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/gcp-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/gcp-secret-manager.md index 24a1a155b..4557e436f 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/gcp-secret-manager.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/gcp-secret-manager.md @@ -50,16 +50,22 @@ The above example uses secrets as plain strings. It is recommended to use a loca | Field | Required | Details | Example | |--------------------|:--------:|--------------------------------|---------------------| -| type | Y | The type of the account. | `"service_account"` | -| project_id | Y | The project ID associated with this component. | `"project_id"` | -| private_key_id | N | The private key ID | `"privatekey"` | -| client_email | Y | The client email address | `"client@example.com"` | -| client_id | N | The ID of the client | `"11111111"` | -| auth_uri | N | The authentication URI | `"https://accounts.google.com/o/oauth2/auth"` | -| token_uri | N | The authentication token URI | `"https://oauth2.googleapis.com/token"` | -| auth_provider_x509_cert_url | N | The certificate URL for the auth provider | `"https://www.googleapis.com/oauth2/v1/certs"` | -| client_x509_cert_url | N | The certificate URL for the client | `"https://www.googleapis.com/robot/v1/metadata/x509/.iam.gserviceaccount.com"`| -| private_key | Y | The private key for authentication | `"privateKey"` | +| `project_id` | Y | The project ID associated with this component. | `"project_id"` | +| `type` | N | The type of the account. | `"service_account"` | +| `private_key_id` | N | If using explicit credentials, this field should contain the `private_key_id` field from the service account json document | `"privateKeyId"`| +| `private_key` | N | If using explicit credentials, this field should contain the `private_key` field from the service account json. Replace with x509 cert | `12345-12345`| +| `client_email` | N | If using explicit credentials, this field should contain the `client_email` field from the service account json | `"client@email.com"`| +| `client_id` | N | If using explicit credentials, this field should contain the `client_id` field from the service account json | `0123456789-0123456789`| +| `auth_uri` | N | If using explicit credentials, this field should contain the `auth_uri` field from the service account json | `https://accounts.google.com/o/oauth2/auth`| +| `token_uri` | N | If using explicit credentials, this field should contain the `token_uri` field from the service account json | `https://oauth2.googleapis.com/token`| +| `auth_provider_x509_cert_url` | N | If using explicit credentials, this field should contain the `auth_provider_x509_cert_url` field from the service account json | `https://www.googleapis.com/oauth2/v1/certs`| +| `client_x509_cert_url` | N | If using explicit credentials, this field should contain the `client_x509_cert_url` field from the service account json | `https://www.googleapis.com/robot/v1/metadata/x509/.iam.gserviceaccount.com`| + + +## GCP Credentials + +Since the GCP Secret Manager component uses the GCP Go Client Libraries, by default it authenticates using **Application Default Credentials**. This is explained further in the [Authenticate to GCP Cloud services using client libraries](https://cloud.google.com/docs/authentication/client-libraries) guide. +Also, see how to [Set up Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc). ## Optional per-request metadata properties