Allow external GoogleCredentials authentication

[joaoandremartins]

new SQLAdmin.Builder() requires a HttpRequestInitializer as its third argument, not necessarily Credential which createAdminApiClient() requests.

This would be useful because, for example, on our Spring integrations, we want to pass in-memory credentials from a pre-existing GoogleCredentials object (from the newer google-auth-library-java library).
As I understand, the recommended way to use them is to use a HttpCredentialsAdapter, which is a HttpRequestInitializer but not Credential.
I also haven't found any way to conveniently generate a Credential from a HttpCredentialsAdapter.

We would also need to pass in a HttpRequestInitializer instead of a CredentialFactory in the CredentialFactory.CREDENTIAL_FACTORY_PROPERTY property.

[bhtucker]

This would also be useful for Cloud Partners engineering applications. We too have pre-existing GoogleCredentials that users created from (their choice of) application default credentials or a service account file.

[Luttik]

I would also really like this option, messing with environment variables doesn't seem like a smart thing to do. And I don't really understand while virtually every google system has the option to use in-memory credentials but not the SQL service.

[nickmarx12345678]

I'm also trying to understand how we can configure CloudSQL auth connections without using an env var, any examples?

[hstonec]

I was wondering if there is any update about this issue?

We also would like to use our own credential instead of ADC to initialize the client, but realized that we have to use the deprecated com.google.api.client.googleapis.auth.oauth2.GoogleCredential to create the credential because com.google.cloud.sql.CredentialFactory.create() requires com.google.api.client.auth.oauth2.Credential instead of com.google.auth.Credentials which is recommended in https://github.com/googleapis/google-auth-library-java.

[kurtisvg]

So this is a bit tricky to do, but I think it could be done by adding a static method to SocketFactory class. This method would essentially take an instance connection name and a credential, and could be used create the CloudSQLInstance class with the correct credentials set on the SQLAdmin API.

We would need to be careful to cleanup any previous CloudSQLInstance objects and refresh threads if a new one is set overtop.

[yorkyu-mercari]

Simplest workaround should be extending a factory class and use it to create HttpRequestInitializer

System.setProperty(CredentialFactory.CREDENTIAL_FACTORY_PROPERTY, ServiceAccountCredentialFactory.getClass.getName)

I am using scala so the test code will be like

class ServiceAccountCredentialFactory extends CredentialFactory {
  override def create(): HttpRequestInitializer = {
    val jsonPath: String = System.getProperty(CREDENTIAL_FILE_PATH)
    var credentials: GoogleCredentials = GoogleCredentials.fromStream(new FileInputStream(jsonPath))

    if(credentials.createScopedRequired()) {
      credentials = credentials.createScoped(Seq(
        SQLAdminScopes.SQLSERVICE_ADMIN,
        SQLAdminScopes.CLOUD_PLATFORM
      ).asJava)
    }
    new HttpCredentialsAdapter(credentials)
  }
}

[shubha-rajan]

googleapis/google-auth-library-java#658 exposed a getter that returns aCredentials object. Using that getter along with the extended factory class above should allow you to use external GoogleCredentials in your application.

[kurtisvg]

Going to mark this as closed. I think this current journey is already possible with the current interface.