docs: add warning against accepting untrusted credentials (#8041)

PiperOrigin-RevId: 719330114
Source-Link: googleapis/googleapis@9e0f143
Source-Link: googleapis/googleapis-gen@9612bdf
Copy-Tag: eyJwIjoiRXZlbnRhcmNQdWJsaXNoaW5nLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiRmlsZXN0b3JlLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiRmlyZXN0b3JlLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiRnVuY3Rpb25zLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiR1N1aXRlQWRkT25zLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiR2tlQmFja3VwLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiR2tlQ29ubmVjdEdhdGV3YXkvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiR2tlSHViLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiR2tlTXVsdGlDbG91ZC8uT3dsQm90LnlhbWwiLCJoIjoiOTYxMmJkZjg2Y2RiMWE4OTQ4NTk4MDZmMzM5NTgyOWYxY2JhNGYxYyJ9
Copy-Tag: eyJwIjoiR3JhZmVhcy8uT3dsQm90LnlhbWwiLCJoIjoiOTYxMmJkZjg2Y2RiMWE4OTQ4NTk4MDZmMzM5NTgyOWYxY2JhNGYxYyJ9
Copy-Tag: eyJwIjoiSWFtLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiSWFtQ3JlZGVudGlhbHMvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiSWFwLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiSWRzLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiS21zLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiS21zSW52ZW50b3J5Ly5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiTGFuZ3VhZ2UvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiTGlmZVNjaWVuY2VzLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiTG9nZ2luZy8uT3dsQm90LnlhbWwiLCJoIjoiOTYxMmJkZjg2Y2RiMWE4OTQ4NTk4MDZmMzM5NTgyOWYxY2JhNGYxYyJ9
Copy-Tag: eyJwIjoiTG9uZ1J1bm5pbmcvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==

EventarcPublishing/src/V1/Client/PublisherClient.php

@@ -136,6 +136,12 @@ private static function getClientDefaults()
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Filestore/src/V1/Client/CloudFilestoreManagerClient.php

@@ -324,6 +324,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Firestore/src/Admin/V1/Client/FirestoreAdminClient.php

@@ -433,6 +433,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Firestore/src/V1/Client/FirestoreClient.php

@@ -146,6 +146,12 @@ private static function getClientDefaults()
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Functions/src/V2/Client/FunctionServiceClient.php

@@ -442,6 +442,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

GSuiteAddOns/src/V1/Client/GSuiteAddOnsClient.php

@@ -250,6 +250,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

GkeBackup/src/V1/Client/BackupForGKEClient.php

@@ -462,6 +462,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

GkeConnectGateway/src/V1/Client/GatewayControlClient.php

@@ -118,6 +118,12 @@ private static function supportedTransports()
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

GkeConnectGateway/src/V1beta1/Client/GatewayControlClient.php

@@ -122,6 +122,12 @@ private static function supportedTransports()
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

GkeHub/src/V1/Client/GkeHubClient.php

@@ -288,6 +288,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

GkeMultiCloud/src/V1/Client/AttachedClustersClient.php

@@ -269,6 +269,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

GkeMultiCloud/src/V1/Client/AwsClustersClient.php

@@ -311,6 +311,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

GkeMultiCloud/src/V1/Client/AzureClustersClient.php

@@ -338,6 +338,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Grafeas/src/V1/Client/GrafeasClient.php

@@ -231,6 +231,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Iam/src/V2/Client/PoliciesClient.php

@@ -170,6 +170,12 @@ private function createOperationsClient(array $options)
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

IamCredentials/src/V1/Client/IAMCredentialsClient.php

@@ -171,6 +171,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Iap/src/V1/Client/IdentityAwareProxyAdminServiceClient.php

@@ -198,6 +198,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Iap/src/V1/Client/IdentityAwareProxyOAuthServiceClient.php

@@ -127,6 +127,12 @@ private static function getClientDefaults()
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see