DLP : Default application credentials are not getting picked up when running locally

[jabubake]

Running code locally gives me:
"Error in inspectString: io.grpc.StatusRuntimeException: PERMISSION_DENIED: DLP API has not been used in project usable-auth-library before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/dlp.googleapis.com/overview?project=usable-auth-library then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry."

I need to explicitly provide GOOGLE_APPLICATION_CREDENTIALS env var, gcloud auth application-default login does not work.

[chanseokoh]

AFAIK, usable-auth-library is an internal project assigned to gcloud, and there may be a reason that the Cloud SDK team did not enable the DLP API. I know the team cannot enable APIs if the APIs end up charging the internal project.

BTW, The DLP quickstart does not list Cloud SDK as a requirement, and it should work without gcloud installed: https://cloud.google.com/dlp/docs/quickstart-cli. Maybe it's intended that you should use GOOGLE_APPLICATION_CREDENTIALS as described in the quickstart?

[garrettjonesgoogle]

We need to update the error we are seeing about the project project usable-auth-library, and guide people to use service account credentials instead.

[pongad]

Is there an action item here? IIUC, setting GOOGLE_APPLICATION_CREDENTIALS is recommneded per auth documentation

[chanseokoh]

One action item I suggest: make DLP not pick up the gcloud application default credential. The confusing error message about the gcloud project is because of this.

BTW, DLP is probably not the only API that is disabled in the gcloud project.

[pongad]

@garrettjonesgoogle I believe the gcloud default credential is automatically looked up by GoogleCredentials.getApplicationDefault which also looks up GOOGLE_APPLICATION_CREDENTIALS env var right?

@chanseokoh To make sure I understand you right, we should ignore the gcloud default (set on gcloud command) but continue to look up the env var?

[chanseokoh]

@pongad yeah, I think that is ideal, for APIs like DLP for which the internal gcloud project specifically disables. It should of course be able to get a credential through the env var.

[garrettjonesgoogle]

@pongad I believe your understanding is correct.

[pongad]

I did some more digging. We are discouraging people and APIs from using gcloud auth application-default login and intend to deprecate this mechanism. Setting the env var is the preferable method.

I'll close this as wontfix. Eventually, I believe the auth library should stop working with the gcloud command altogether. cc @vchudnov-g

[jabubake]

@pongad : fine with this not working, but can we provide a better error message to the user here to ask them to set GOOGLE_APPLICATION_CREDENTIALS or link them to the right auth docs ?

[vchudnov-g]

@jabubake Internally, b/64388723 tracks the implementation of the better error message. I've added you to the cc list on that.