[Google cloud] Service account key isn't always needed

#1

Hello folks -

First off, rclone is an amazing piece of software. Thank you Nick & all contributors!

rclone currently requires a service account key for accessing Google Cloud Storage. There are 2 scenarios where providing the key isn’t necessary:

  • When running rclone from inside Google Cloud. GCP allows setting service accounts on an instance. All API calls to Google Cloud Storage are automatically authenticated and authorised using the supplied service account. Providing the key material (JSON file) is unnecessary. Having to keep the key material on the instance increases security risk and key management/rotation overhead.
  • When running rclone against a public bucket. For example you can interact with gs://maven-central (Google’s public mirror of Maven Central) without supplying any credentials. Here’s an easy way to test this:
$ gcloud auth revoke --all # log out of all GCP accounts
$ gsutil ls -l gs://maven-central/

I suggest making the service account key field optional. We can fail fast on authn/authz failures and provide a helpful error message.

Let me know what y’all think? I can write go code and I’m happy to provide a PR.

Thanks.

#2

I think this got fixed in the latest beta in this commit.

Interesting, I didn’t know gcs allow anonymous buckets. We allow that in the S3 backend by leaving the access ID key blank, but I don’t think that will work here.

Sounds like the right sort of approach!

I’d love to see a PR - thank you.