Get a token from the Google metadata serverSource:
If your code is running on Google Cloud, we can often obtain a token for an
attached service account directly from a metadata server. This is more secure
than working with an explicit a service account key, as
credentials_service_account() does, and is the preferred method of auth for
workloads running on Google Cloud.
The most straightforward scenario is when you are working in a VM on Google Compute Engine and it's OK to use the default service account. This should "just work" automatically.
credentials_gce() supports other use cases (such as GKE Workload Identity),
but may require some explicit setup, such as:
Create a service account, grant it appropriate scopes(s) and IAM roles, attach it to the target resource. This prep work happens outside of R, e.g., in the Google Cloud Console. On the R side, provide the email address of this appropriately configured service account via
Specify details for constructing the root URL of the metadata service:
The logical option
"gargle.gce.use_ip". If undefined, this defaults to
The environment variable
GCE_METADATA_URLis consulted when
FALSE. If undefined, the default is
The environment variable
GCE_METADATA_IPis consulted when
TRUE. If undefined, the default is
Change (presumably increase) the timeout for requests to the metadata server via the
"gargle.gce.timeout"global option. This timeout is given in seconds and is set to a value (strategy, really) that often works well in practice. However, in some cases it may be necessary to increase the timeout with code such as:
options(gargle.gce.timeout = 3)
For details on specific use cases, such as Google Kubernetes Engine (GKE),
credentials_gce( scopes = "https://www.googleapis.com/auth/cloud-platform", service_account = "default", ... )
A character vector of scopes to request. Pick from those listed at https://developers.google.com/identity/protocols/oauth2/scopes.
For certain token flows, the
"https://www.googleapis.com/auth/userinfo.email"scope is unconditionally included. This grants permission to retrieve the email address associated with a token; gargle uses this to index cached OAuth tokens. This grants no permission to view or send email and is generally considered a low-value scope.
Name of the GCE service account to use.
Additional arguments passed to all credential functions.
A related auth flow that can be used on certain non-Google cloud
providers is workload identity federation, which is implemented in
How to attach a service account to a resource: https://cloud.google.com/iam/docs/impersonating-service-accounts#attaching-to-resources