feat: Allow connector to accept loginAuth to pass it down to sqlAdminFetcher

[Anoupz]

Change Description

Allow connector to accept custom auth as arg to be able to pass it down to sqlAdminFetcher which can rely on custom auth or default auth if none is provided.

Relevant issues:

• Fixes Add support for specifying custom credentials #200

[conventional-commit-lint-gcf]

🤖 I detect that the PR title and the commit message differ and there's only one commit. To use the PR title for the commit history, you can use Github's automerge feature with squashing, or use automerge label. Good luck human!

-- conventional-commit-lint bot
https://conventionalcommits.org/

[jackwotherspoon]

@Anoupz Thanks for the contribution! Would you mind maybe adding a quick test to https://github.com/GoogleCloudPlatform/cloud-sql-nodejs-connector/blob/main/test/connector.ts that covers passing in a credential?

[edosrecki]

@Anoupz , @jackwotherspoon

What about the auth here:

cloud-sql-nodejs-connector/src/sqladmin-fetcher.ts

Line 76 in 0d34e7b

const auth = new GoogleAuth({

[jackwotherspoon]

What about the auth here:

cloud-sql-nodejs-connector/src/sqladmin-fetcher.ts

Line 76 in 0d34e7b

const auth = new GoogleAuth({

@Anoupz the way the Connector works is it has two credential Google Auth objects, each with different access scopes. The loginAuth is used for logging in with automatic IAM database authentication and has the 'https://www.googleapis.com/auth/sqlservice.login' scopes required to purely login to a Cloud SQL database. The second Google Auth object that @edosrecki is pointing out is used for authorization and to authorize the client used to make Cloud SQL Admin API calls (aka does the person connecting have the proper permissions to connect to Cloud SQL) and requires the 'https://www.googleapis.com/auth/sqlservice.admin'.

Both of these credentials must belong to the same IAM Principal in order to successfully connect with IAM database authentication. Thus, we need to support setting both of these to the custom credentials passed in.

In Python we can pass in a single credentials object because the google-auth library allows credentials to be re-scoped (hence we can pass in a single credentials object and scope it as required to satisfy both auth credentials). I wonder if something similar is possible for the node google-auth-library?

[Anoupz]

What about the auth here:

cloud-sql-nodejs-connector/src/sqladmin-fetcher.ts

Line 76 in 0d34e7b

const auth = new GoogleAuth({

@Anoupz the way the Connector works is it has two credential Google Auth objects, each with different access scopes. The loginAuth is used for logging in with automatic IAM database authentication and has the 'https://www.googleapis.com/auth/sqlservice.login' scopes required to purely login to a Cloud SQL database. The second Google Auth object that @edosrecki is pointing out is used for authorization and to authorize the client used to make Cloud SQL Admin API calls (aka does the person connecting have the proper permissions to connect to Cloud SQL) and requires the 'https://www.googleapis.com/auth/sqlservice.admin'.

Both of these credentials must belong to the same IAM Principal in order to successfully connect with IAM database authentication. Thus, we need to support setting both of these to the custom credentials passed in.

In Python we can pass in a single credentials object because the google-auth library allows credentials to be re-scoped (hence we can pass in a single credentials object and scope it as required to satisfy both auth credentials). I wonder if something similar is possible for the node google-auth-library?

Humm, When I tested this I did not encounter any issue. Let me check again

[jackwotherspoon]

Humm, When I tested this I did not encounter any issue. Let me check again

@Anoupz are you using IAM database authentication to login for your use-case or regular username/password database auth?

[Anoupz]

Humm, When I tested this I did not encounter any issue. Let me check again

@Anoupz are you using IAM database authentication to login for your use-case or regular username/password database auth?

I am using IAM database authentication.

[Anoupz]

What about the auth here:

cloud-sql-nodejs-connector/src/sqladmin-fetcher.ts

Line 76 in 0d34e7b

const auth = new GoogleAuth({

@Anoupz the way the Connector works is it has two credential Google Auth objects, each with different access scopes. The loginAuth is used for logging in with automatic IAM database authentication and has the 'https://www.googleapis.com/auth/sqlservice.login' scopes required to purely login to a Cloud SQL database. The second Google Auth object that @edosrecki is pointing out is used for authorization and to authorize the client used to make Cloud SQL Admin API calls (aka does the person connecting have the proper permissions to connect to Cloud SQL) and requires the 'https://www.googleapis.com/auth/sqlservice.admin'.
Both of these credentials must belong to the same IAM Principal in order to successfully connect with IAM database authentication. Thus, we need to support setting both of these to the custom credentials passed in.
In Python we can pass in a single credentials object because the google-auth library allows credentials to be re-scoped (hence we can pass in a single credentials object and scope it as required to satisfy both auth credentials). I wonder if something similar is possible for the node google-auth-library?

Humm, When I tested this I did not encounter any issue. Let me check again

Sorry, I was not able to reproduce it. Can anyone help me to update this and what should be updated with? I only pass the loginAuth since the getEphemeralCertificate function would be able to use the passed in loginAuth and get the access token and the client.

[enocom]

The PR here might be a good thing to build on: #210 and will make it easy to pass in an auth object.

[Anoupz]

The PR here might be a good thing to build on: #210 and will make it easy to pass in an auth object.

Thanks @enocom. @edosrecki you can combine these two changes or I can merge your changes on mine. Feel free to edit it.

[edosrecki]

@jackwotherspoon, @Anoupz, @ruyadorno

Can't we do the following:

constructor(options?: { authClient?: AuthClient }) {
  const adminAuth = new GoogleAuth({
    authClient: options.authClient,
    scopes: ['https://www.googleapis.com/auth/sqlservice.admin'],
  });
  const loginAuth = new GoogleAuth({
    authClient: options.authClient,
    scopes: ['https://www.googleapis.com/auth/sqlservice.login'],
  })
 
  // ...
}

If a custom AuthClient object is passed by the library user, GoogleAuth class will use it, otherwise it will set it up by doing it's own magic. This should be equivalent to Python library's with_scopes() call.

[enocom]

That looks good to me. @ruyadorno WDYT?

[edosrecki]

@jackwotherspoon @enocom @ruyadorno @Anoupz

I just tried out what I suggested above, and it does not work due to a TypeScript error.

Sqladmin constructor expects auth: GoogleAuth, which is a generic type GoogleAuth<T extends AuthClient = JSONClient>. As you can see it is defaulted to JSONClient which is a union type JSONClient = JWT | UserRefreshClient | BaseExternalAccountClient | ExternalAccountAuthorizedUserClient | Impersonated;.

Therefore we cannot pass just any AuthClient, but only those specified in JSONClient type. I believe this is a type mistake. I think that Sqladmin should be generic in T extends AuthClient, and should allow auth: GoogleAuth<T>.

I created an issue here: googleapis/google-api-nodejs-client#3357 to start the discussion.

[ruyadorno]

@edosrecki @jackwotherspoon I also noticed that google-auth-library has a DownscopedClient that would be ideal to implement something similar to how it works on the Python Connector. Unfortunately it seems to use a CredentialAccessBoundary system that is only available on Cloud Storage for now.

Nevermind, @enocom clarified to me that's not even the same feature, it's just misleadingly sharing the same name.