From 492baf991ffb588a6ceb3738ac6d0282fa9d8d95 Mon Sep 17 00:00:00 2001 From: Lawrence Jones Date: Fri, 12 Jan 2018 17:36:57 +0000 Subject: [PATCH] Update docs and add changelog entry: Google auth Add documentation around using default Google application credentials, along with a changelog extra that describes the feature and the potential impact on existing restic uses (read: none). --- changelog/unreleased/pull-1552 | 12 ++++++++++++ doc/030_preparing_a_new_repo.rst | 10 ++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 changelog/unreleased/pull-1552 diff --git a/changelog/unreleased/pull-1552 b/changelog/unreleased/pull-1552 new file mode 100644 index 000000000..f97a60f06 --- /dev/null +++ b/changelog/unreleased/pull-1552 @@ -0,0 +1,12 @@ +Feature: Use Google Application Default credentials + +Google provide libraries to generate appropriate credentials with various +fallback sources. This change uses the library to generate our GCS client, which +allows us to make use of these extra methods. + +This should be backward compatible with previous restic behaviour while adding +the additional capabilities to auth from Google's internal metadata endpoints. +For users running restic in GCP this can make authentication far easier than it +was before. + +https://developers.google.com/identity/protocols/application-default-credentials diff --git a/doc/030_preparing_a_new_repo.rst b/doc/030_preparing_a_new_repo.rst index dd8e9f7c7..1b984c4a7 100644 --- a/doc/030_preparing_a_new_repo.rst +++ b/doc/030_preparing_a_new_repo.rst @@ -362,8 +362,14 @@ key file and the project ID as follows: $ export GOOGLE_PROJECT_ID=123123123123 $ export GOOGLE_APPLICATION_CREDENTIALS=$HOME/.config/gs-secret-restic-key.json -Then you can use the ``gs:`` backend type to create a new repository in the -bucket `foo` at the root path: +We use Google's client library to generate [default authentication +material](https://developers.google.com/identity/protocols/application-default-credentials), +which means if you're running in Google Container Engine or are otherwise +located on an instance with default service accounts then these should work out +the box. + +Once authenticated, you can use the ``gs:`` backend type to create a new +repository in the bucket `foo` at the root path: .. code-block:: console