Allow GCS authentication with OAuth Access Token (#120)

* Allow auth to GCS via access_token

* Ignore SA credentials when access_token exported.

README.md

@@ -62,6 +62,8 @@ To authenticate against GCS you can:
 
 - Use a service account via [`export GOOGLE_APPLICATION_CREDENTIALS=credentials.json` system variable](https://cloud.google.com/docs/authentication/getting-started)
 
+- Use a temporary [OAuth 2.0 access token](https://developers.google.com/identity/protocols/oauth2) via `export GOOGLE_OAUTH_ACCESS_TOKEN=<MY_ACCESS_TOKEN>` environment variable. When used, plugin will ignore other authentification methods.
+
 See [GCP documentation](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application) for more information.
 
 ### Create a repository

pkg/gcs/gcs.go

@@ -3,17 +3,24 @@ package gcs
 import (
 	"context"
 	"net/url"
+	"os"
 
 	"cloud.google.com/go/storage"
 	"github.com/pkg/errors"
+	"golang.org/x/oauth2"
 	"google.golang.org/api/option"
 )
 
 // NewClient creates a new gcs client.
 // Use Application Default Credentials if serviceAccount is empty.
+// Ignores ADC or serviceAccount when GOOGLE_OAUTH_ACCESS_TOKEN env variable is exported.
 func NewClient(serviceAccountPath string) (*storage.Client, error) {
 	opts := []option.ClientOption{}
-	if serviceAccountPath != "" {
+	token := os.Getenv("GOOGLE_OAUTH_ACCESS_TOKEN")
+	if token != "" {
+		token := &oauth2.Token{AccessToken: token}
+		opts = append(opts, option.WithTokenSource(oauth2.StaticTokenSource(token)))
+	} else if serviceAccountPath != "" {
 		opts = append(opts, option.WithCredentialsFile(serviceAccountPath))
 	}
 	client, err := storage.NewClient(context.Background(), opts...)

plugin.yaml

@@ -1,5 +1,5 @@
 name: "gcs"
-version: "0.3.19"
+version: "0.3.20"
 usage: "Chart repositories on Google Cloud Storage"
 description: |-
   Manage repositories on Google Cloud Storage