Update docs and add changelog entry: Google auth

Add documentation around using default Google application credentials, along with a changelog extra that describes the feature and the potential impact on existing restic uses (read: none).
2024-11-25 22:27:35 +00:00 · 2018-01-12 17:36:57 +00:00 · 2018-01-12 17:36:57 +00:00 · 492baf991f
commit 492baf991f
parent 0dfdc11ed9
2 changed files with 20 additions and 2 deletions
--- a/changelog/unreleased/pull-1552
+++ b/changelog/unreleased/pull-1552
@ -0,0 +1,12 @@
+Feature: Use Google Application Default credentials
+
+Google provide libraries to generate appropriate credentials with various
+fallback sources. This change uses the library to generate our GCS client, which
+allows us to make use of these extra methods.
+
+This should be backward compatible with previous restic behaviour while adding
+the additional capabilities to auth from Google's internal metadata endpoints.
+For users running restic in GCP this can make authentication far easier than it
+was before.
+
+https://developers.google.com/identity/protocols/application-default-credentials
--- a/doc/030_preparing_a_new_repo.rst
+++ b/doc/030_preparing_a_new_repo.rst
@ -362,8 +362,14 @@ key file and the project ID as follows:
    $ export GOOGLE_PROJECT_ID=123123123123
    $ export GOOGLE_APPLICATION_CREDENTIALS=$HOME/.config/gs-secret-restic-key.json

-Then you can use the ``gs:`` backend type to create a new repository in the
-bucket `foo` at the root path:
+We use Google's client library to generate [default authentication
+material](https://developers.google.com/identity/protocols/application-default-credentials),
+which means if you're running in Google Container Engine or are otherwise
+located on an instance with default service accounts then these should work out
+the box.
+
+Once authenticated, you can use the ``gs:`` backend type to create a new
+repository in the bucket `foo` at the root path:

 .. code-block:: console