feat: Documenting custom credential suppliers #4194
Conversation
|
Here is the summary of changes. You are about to add 3 region tags.
You are about to delete 1 region tag.
This comment is generated by snippet-bot.
|
product-auto-label
bot
added
samples
Summary of ChangesHello @vverman, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the authentication samples by introducing support for custom credential suppliers. It provides developers with practical examples and detailed documentation on how to integrate third-party authentication providers like AWS and Okta with Google Cloud SDKs, particularly useful for non-standard cloud environments and Workload Identity Federation. This broadens the scope of authentication methods available within the samples. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
vverman
changed the title
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces valuable documentation and samples for using Custom Credential Suppliers with AWS and Okta. The new samples are well-structured and the documentation is clear. I've identified a critical issue in package.json with a dependency version that will prevent installation. Additionally, I've suggested improvements for one of the new samples to enhance clarity and robustness, and pointed out a significant readability issue in a test file caused by unconventional syntax. The other changes are minor and related to code formatting.
| "dependencies": { | ||
| "@aws-sdk/client-sts": "^3.58.0", | ||
| "@aws-sdk/credential-providers": "^3.0.0", | ||
| "dotenv": "^17.0.0", |
There was a problem hiding this comment.
The specified version ^17.0.0 for the dotenv package does not exist, which will cause npm install to fail. The latest version is in the 16.x.x range. Please correct the version to a valid one, such as ^16.4.5.
| "dotenv": "^17.0.0", | |
| "dotenv": "^16.4.5", |
| async fetchOktaAccessToken() { | ||
| const params = new URLSearchParams(); | ||
| params.append('grant_type', 'client_credentials'); | ||
| params.append('scope', 'gcp.test.read'); |
There was a problem hiding this comment.
The scope gcp.test.read is hardcoded. While this is fine for a demonstration, it might not be obvious to users that this needs to match their Okta application configuration. Adding a comment would improve the sample's clarity and help prevent potential integration issues for users adapting this code.
| params.append('scope', 'gcp.test.read'); | |
| // The scope 'gcp.test.read' is an example. You may need to update it | |
| // based on your Okta application's configuration. | |
| params.append('scope', 'gcp.test.read'); |
| } | ||
| } catch (error) { | ||
| throw new Error( | ||
| `Failed to authenticate with Okta: ${error.response?.data || error.message}` |
There was a problem hiding this comment.
When an error occurs during authentication with Okta, if error.response.data is an object, it will be stringified as [object Object], which is not helpful for debugging. It's better to serialize it as a JSON string to provide a more meaningful error message.
| `Failed to authenticate with Okta: ${error.response?.data || error.message}` | |
| `Failed to authenticate with Okta: ${error.response?.data ? JSON.stringify(error.response.data) : error.message}` |
2 participants
Adding documentation for Custom Credential Suppliers.
Custom Credential Suppliers enable developers to securely integrate third-party authentication directly into the Google Cloud SDKs. Custom Credential Suppliers are primarily used to handle authentication in non-standard cloud environments.
The design and scopes for this are documented under this design doc
Note: Before submitting a pull request, please open an issue for discussion if you are not associated with Google.
Checklist
npm test(see Testing)npm run lint(see Style)GoogleCloudPlatform/nodejs-docs-samples. Not a fork.These tests will safely skip if the env variables aren't provided.
For the auth/system-test/customCredentialSupplierAws.test.js, we need: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, GCP_WORKLOAD_AUDIENCE, GCS_BUCKET_NAME. Please refer to the auth/README.md under custom credential suppliers for AWS.
For the auth/system-test/customCredentialSupplierOkta.test.js, we need: OKTA_DOMAIN, OKTA_CLIENT_ID, OKTA_CLIENT_SECRET, GCP_WORKLOAD_AUDIENCE, GCS_BUCKET_NAME. Please refer to the auth/README.md under custom credential suppliers for Okta.