docs: add warning about loading unvalidated credentials

Author: yoshi-automation

google-cloud-bigquery/AUTHENTICATION.md

@@ -67,12 +67,14 @@ The environment variables that BigQuery checks for credentials are configured on
 5. `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
 
 ```ruby
+require "googleauth"
 require "google/cloud/bigquery"
 
-ENV["BIGQUERY_PROJECT"]     = "my-project-id"
-ENV["BIGQUERY_CREDENTIALS"] = "path/to/keyfile.json"
+credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: ::File.open("/path/to/keyfile.json")
+)
 
-bigquery = Google::Cloud::Bigquery.new
+bigquery = Google::Cloud::Bigquery.new project_id: "my-project-id", credentials: credentials
 ```
 
 ### Configuration
@@ -81,11 +83,16 @@ The **Project ID** and the path to the **Credentials JSON** file can be configur
 instead of placing them in environment variables or providing them as arguments.
 
 ```ruby
+require "googleauth"
 require "google/cloud/bigquery"
 
+credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: ::File.open("/path/to/keyfile.json")
+)
+
 Google::Cloud::Bigquery.configure do |config|
   config.project_id  = "my-project-id"
-  config.credentials = "path/to/keyfile.json"
+  config.credentials = credentials
 end
 
 bigquery = Google::Cloud::Bigquery.new

google-cloud-bigquery/lib/google-cloud-bigquery.rb

@@ -87,9 +87,25 @@ def bigquery scope: nil, retries: nil, timeout: nil
     #
     # @param [String] project_id Identifier for a BigQuery project. If not
     #   present, the default project for the credentials is used.
-    # @param [String, Hash, Google::Auth::Credentials] credentials The path to
-    #   the keyfile as a String, the contents of the keyfile as a Hash, or a
-    #   Google::Auth::Credentials object. (See {Bigquery::Credentials})
+    # @param [Google::Auth::Credentials] credentials A Google::Auth::Credentials
+    #     object. (See {Bigquery::Credentials})
+    #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+    #     is deprecated. Providing an unvalidated credential configuration to
+    #     Google APIs can compromise the security of your systems and data.
+    #
+    #   @example
+    #
+    #     # The recommended way to provide credentials is to use the `make_creds` method
+    #     # on the appropriate credentials class for your environment.
+    #
+    #     require "googleauth"
+    #
+    #     credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+    #       json_key_io: ::File.open("/path/to/keyfile.json")
+    #     )
+    #
+    #     client = ::Google::Cloud::Bigquery.new credentials: credentials
+    #
     # @param [String, Array<String>] scope The OAuth 2.0 scopes controlling the
     #   set of resources and operations that the connection can access. See
     #   [Using OAuth 2.0 to Access Google

google-cloud-bigquery/lib/google/cloud/bigquery.rb

@@ -37,9 +37,26 @@ module Bigquery
       #
       # @param [String] project_id Identifier for a BigQuery project. If not
       #   present, the default project for the credentials is used.
-      # @param [String, Hash, Google::Auth::Credentials] credentials The path to
-      #   the keyfile as a String, the contents of the keyfile as a Hash, or a
-      #   Google::Auth::Credentials object. (See {Bigquery::Credentials})
+      # @param [Google::Auth::Credentials] credentials A Google::Auth::Credentials
+      #   object. (See {Bigquery::Credentials})
+      #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+      #     is deprecated. Providing an unvalidated credential configuration to
+      #     Google APIs can compromise the security of your systems and data.
+      #
+      #   @example
+      #
+      #     # The recommended way to provide credentials is to use the `make_creds` method
+      #     # on the appropriate credentials class for your environment.
+      #
+      #     require "googleauth"
+      #
+      #     credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+      #       json_key_io: ::File.open("/path/to/keyfile.json")
+      #     )
+      #
+      #     client = ::Google::Cloud::Bigquery.new do |config|
+      #       config.credentials = credentials
+      #     end
       # @param [String, Array<String>] scope The OAuth 2.0 scopes controlling
       #   the set of resources and operations that the connection can access.
       #   See # [Using OAuth 2.0 to Access Google #
@@ -98,12 +115,11 @@ def self.new project_id: nil, credentials: nil, scope: nil, retries: nil, timeou
       #
       # * `project_id` - (String) Identifier for a BigQuery project. (The
       #   parameter `project` is considered deprecated, but may also be used.)
-      # * `credentials` - (String, Hash, Google::Auth::Credentials) The path to
-      #   the keyfile as a String, the contents of the keyfile as a Hash, or a
-      #   Google::Auth::Credentials object. (See {Bigquery::Credentials}) (The
-      #   parameter `keyfile` is considered deprecated, but may also be used.)
-      # * `endpoint` - (String) Override of the endpoint host name, or `nil`
-      #   to use the default endpoint.
+      # * `credentials` - (Google::Auth::Credentials) A Google::Auth::Credentials
+      #   object. (See {Bigquery::Credentials})
+      #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+      #     is deprecated. Providing an unvalidated credential configuration to
+      #     Google APIs can compromise the security of your systems and data.
       # * `scope` - (String, Array<String>) The OAuth 2.0 scopes controlling
       #   the set of resources and operations that the connection can access.
       # * `retries` - (Integer) Number of times to retry requests on server

google-cloud-bigtable/AUTHENTICATION.md

@@ -85,12 +85,14 @@ The environment variables that google-cloud-bigtable checks for credentials are
 5. `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
 
 ```ruby
+require "googleauth"
 require "google/cloud/bigtable"
 
-ENV["BIGTABLE_PROJECT"]     = "my-project-id"
-ENV["BIGTABLE_CREDENTIALS"] = "path/to/keyfile.json"
+credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: ::File.open("/path/to/keyfile.json")
+)
 
-client = Google::Cloud::Bigtable.new
+client = Google::Cloud::Bigtable.new project_id: "my-project-id", credentials: credentials
 ```
 
 ### Configuration
@@ -99,11 +101,16 @@ The **Project ID** and the path to the **Credentials JSON** file can be configur
 instead of placing them in environment variables or providing them as arguments.
 
 ```ruby
+require "googleauth"
 require "google/cloud/bigtable"
 
+credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: ::File.open("/path/to/keyfile.json")
+)
+
 Google::Cloud::Bigtable.configure do |config|
   config.project_id  = "my-project-id"
-  config.credentials = "path/to/keyfile.json"
+  config.credentials = credentials
 end
 
 client = Google::Cloud::Bigtable.new

google-cloud-bigtable/lib/google-cloud-bigtable.rb

@@ -40,29 +40,31 @@ module Cloud
     #   updater_proc is supplied.
     # @param timeout [Integer]
     #   The default timeout, in seconds, for calls made through this client.
-    # @param credentials [Google::Auth::Credentials, String, Hash, GRPC::Core::Channel,
+    # @param credentials [Google::Auth::Credentials, GRPC::Core::Channel,
     #   GRPC::Core::ChannelCredentials, Proc]
-    #   Provides the means for authenticating requests made by the client. This parameter can
+    #   The means for authenticating requests made by the client. This parameter can
     #   be one of the following types.
     #   `Google::Auth::Credentials` uses the properties of its represented keyfile for
     #   authenticating requests made by this client.
-    #   `String` will be treated as the path to the keyfile to use to construct
-    #   credentials for this client.
-    #   `Hash` will be treated as the contents of a keyfile to use to construct
-    #   credentials for this client.
     #   `GRPC::Core::Channel` will be used to make calls through.
     #   `GRPC::Core::ChannelCredentials` will be used to set up the gRPC client. The channel credentials
     #   should already be composed with a `GRPC::Core::CallCredentials` object.
     #   `Proc` will be used as an updater_proc for the gRPC channel. The proc transforms the
     #   metadata for requests, generally, to give OAuth credentials.
-    # @return [Google::Cloud::Bigtable::Project]
+    #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+    #     is deprecated. Providing an unvalidated credential configuration to
+    #     Google APIs can compromise the security of your systems and data.
     #
-    # @example
-    #   require "google/cloud/bigtable"
+    #   @example
+    #
+    #     # The recommended way to provide credentials is to use the `make_creds` method
+    #     # on the appropriate credentials class for your environment.
     #
-    #   gcloud  = Google::Cloud.new
+    #     credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+    #       json_key_io: ::File.open("/path/to/keyfile.json")
+    #     )
     #
-    #   bigtable = gcloud.bigtable
+    #     client = Google::Cloud.bigtable credentials: credentials
     #
     def bigtable scope: nil, timeout: nil, credentials: nil
       credentials ||= @keyfile
@@ -83,21 +85,32 @@ def bigtable scope: nil, timeout: nil, credentials: nil
     #   Project identifier for the Bigtable service you
     #   are connecting to. If not present, the default project for the
     #   credentials is used.
-    # @param credentials [Google::Auth::Credentials, String, Hash, GRPC::Core::Channel,
+    # @param credentials [Google::Auth::Credentials, GRPC::Core::Channel,
     #   GRPC::Core::ChannelCredentials, Proc]
     #   The means for authenticating requests made by the client. This parameter can
     #   be one of the following types.
     #   `Google::Auth::Credentials` uses the properties of its represented keyfile for
     #   authenticating requests made by this client.
-    #   `String` will be treated as the path to the keyfile to use to construct
-    #   credentials for this client.
-    #   `Hash` will be treated as the contents of a keyfile to use to construct
-    #   credentials for this client.
     #   `GRPC::Core::Channel` will be used to make calls through.
     #   `GRPC::Core::ChannelCredentials` will be used to set up the gRPC client. The channel credentials
     #   should already be composed with a `GRPC::Core::CallCredentials` object.
     #   `Proc` will be used as an updater_proc for the gRPC channel. The proc transforms the
     #   metadata for requests, generally, to give OAuth credentials.
+    #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+    #     is deprecated. Providing an unvalidated credential configuration to
+    #     Google APIs can compromise the security of your systems and data.
+    #
+    #   @example
+    #
+    #     # The recommended way to provide credentials is to use the `make_creds` method
+    #     # on the appropriate credentials class for your environment.
+    #
+    #     credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+    #       json_key_io: ::File.open("/path/to/keyfile.json")
+    #     )
+    #
+    #     client = Google::Cloud.bigtable credentials: credentials
+    #
     # @param scope [Array<String>]
     #   The OAuth 2.0 scopes controlling the set of resources and operations
     #   that the connection can access. See [Using OAuth 2.0 to Access Google

google-cloud-bigtable/lib/google/cloud/bigtable.rb

@@ -43,15 +43,14 @@ module Bigtable
       #   be one of the following types:
       #   `Google::Auth::Credentials` uses the properties of its represented keyfile for
       #   authenticating requests made by this client.
-      #   `String` will be treated as the path to the keyfile to use to construct
-      #   credentials for this client.
-      #   `Hash` will be treated as the contents of a keyfile to use to construct
-      #   credentials for this client.
       #   `GRPC::Core::Channel` will be used to make calls through.
       #   `GRPC::Core::ChannelCredentials` for the setting up the gRPC client. The channel credentials
       #   should already be composed with a `GRPC::Core::CallCredentials` object.
       #   `Proc` will be used as an updater_proc for the gRPC channel. The proc transforms the
       #   metadata for requests, generally, to give OAuth credentials.
+      #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+      #     is deprecated. Providing an unvalidated credential configuration to
+      #     Google APIs can compromise the security of your systems and data.
       # @param universe_domain [String] Override of the universe domain. Optional.
       # @param endpoint [String] Override of the endpoint host name. Optional.
       #   If the param is nil, uses the default endpoint.

google-cloud-datastore/AUTHENTICATION.md

@@ -86,12 +86,14 @@ The environment variables that google-cloud-datastore checks for credentials are
 5. `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
 
 ```ruby
+require "googleauth"
 require "google/cloud/datastore"
 
-ENV["DATASTORE_PROJECT"]     = "my-project-id"
-ENV["DATASTORE_CREDENTIALS"] = "path/to/keyfile.json"
+credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: ::File.open("/path/to/keyfile.json")
+)
 
-client = Google::Cloud::Datastore.new
+client = Google::Cloud::Datastore.new project_id: "my-project-id", credentials: credentials
 ```
 
 ### Configuration
@@ -100,11 +102,16 @@ The **Project ID** and the path to the **Credentials JSON** file can be configur
 instead of placing them in environment variables or providing them as arguments.
 
 ```ruby
+require "googleauth"
 require "google/cloud/datastore"
 
+credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: ::File.open("/path/to/keyfile.json")
+)
+
 Google::Cloud::Datastore.configure do |config|
   config.project_id  = "my-project-id"
-  config.credentials = "path/to/keyfile.json"
+  config.credentials = credentials
 end
 
 client = Google::Cloud::Datastore.new

google-cloud-datastore/OVERVIEW.md

@@ -14,11 +14,16 @@ your code or via environment variables. Read more about the options for
 connecting in the [Authentication Guide](AUTHENTICATION.md).
 
 ```ruby
+require "googleauth"
 require "google/cloud/datastore"
 
+credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: ::File.open("/path/to/keyfile.json")
+)
+
 datastore = Google::Cloud::Datastore.new(
   project_id: "my-todo-project",
-  credentials: "/path/to/keyfile.json"
+  credentials: credentials
 )
 
 task = datastore.find "Task", "sampleTask"

google-cloud-datastore/README.md

@@ -23,11 +23,16 @@ Instructions and configuration options are covered in the [Authentication Guide]
 ## Example
 
 ```ruby
+require "googleauth"
 require "google/cloud/datastore"
 
+credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: ::File.open("/path/to/keyfile.json")
+)
+
 datastore = Google::Cloud::Datastore.new(
   project_id: "my-todo-project",
-  credentials: "/path/to/keyfile.json"
+  credentials: credentials
 )
 
 # Create a new task to demo datastore

google-cloud-datastore/lib/google-cloud-datastore.rb

@@ -84,9 +84,25 @@ def datastore scope: nil, timeout: nil, database_id: nil
     #
     # @param [String] project_id Identifier for a Datastore project. If not
     #   present, the default project for the credentials is used.
-    # @param [String, Hash, Google::Auth::Credentials] credentials The path to
-    #   the keyfile as a String, the contents of the keyfile as a Hash, or a
-    #   Google::Auth::Credentials object. (See {Datastore::Credentials})
+    # @param [Google::Auth::Credentials] credentials A Google::Auth::Credentials
+    #   object. (See {Datastore::Credentials})
+    #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+    #     is deprecated. Providing an unvalidated credential configuration to
+    #     Google APIs can compromise the security of your systems and data.
+    #
+    #   @example
+    #
+    #     # The recommended way to provide credentials is to use the `make_creds` method
+    #     # on the appropriate credentials class for your environment.
+    #
+    #     credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+    #       json_key_io: ::File.open("/path/to/keyfile.json")
+    #     )
+    #
+    #     datastore = Google::Cloud::Datastore.new(
+    #       project_id: "my-project-id",
+    #       credentials: credentials
+    #     )
     # @param [String, Array<String>] scope The OAuth 2.0 scopes controlling the
     #   set of resources and operations that the connection can access. See
     #   [Using OAuth 2.0 to Access Google