Override the default authentication method

This document describes how to override the default authentication used by Rust. The Rust automatically authenticate your requests to Google Cloud services, but you may occasionally need to override your default credentials.

Prerequisites

This guide uses the Cloud Natural Language API. To install this API follow the service quickstart, which shows you how to enable a service.

For complete setup instructions for the Rust libraries, see Getting started with Rust.

Dependencies

You must declare the dependencies in your Cargo.toml file:

cargo add google-cloud-language-v2 google-cloud-auth

The default credentials

The recommended way to authenticate applications in Google Cloud is to use Application Default Credentials, without any configuration the client libraries default to this credential type. See How Application Default Credentials work for information about you can configure this default without any code changes in your application.

Add some use declarations to simplify the rest of the example:

use google_cloud_language_v2::client::LanguageService;
use google_cloud_language_v2::model::{Document, document::Type};

Initialize the client using the defaults:

let client = LanguageService::builder().build().await?;

Use this client as usual:

let response = client
    .analyze_sentiment()
    .set_document(
        Document::new()
            .set_content("Hello World!")
            .set_type(Type::PlainText),
    )
    .send()
    .await?;
println!("response={response:?}");

Override the default credentials: API keys

API keys are text strings that grant access to some Google Cloud services. Using API keys may simplify development as they require less configuration than other authentication methods. There are some risks associated with API keys, we recommended you read Best practices for managing API keys if you plan to use them.

Write a function that receives the API key string as an input parameter:
```
pub async fn sample(key: &str) -> anyhow::Result<()> {
```

Add some use declarations simplify the rest of the example:

use google_cloud_auth::credentials::api_key_credentials::Builder as ApiKeyCredentialsBuilder;
use google_cloud_language_v2::client::LanguageService;
use google_cloud_language_v2::model::{Document, document::Type};

Use the API Keys Builder to create the credentials:

let credentials = ApiKeyCredentialsBuilder::new(key).build();

Initialize the client using the credentials object:

let client = LanguageService::builder()
    .with_credentials(credentials)
    .build()
    .await?;

And use this client as usual:

let response = client
    .analyze_sentiment()
    .set_document(
        Document::new()
            .set_content("Hello World!")
            .set_type(Type::PlainText),
    )
    .send()
    .await?;
println!("response={response:?}");

Override the default credentials: service account impersonation

Service account impersonation lets you make API calls on behalf of a service account. Use service account impersonation discusses this form of authentication in detail.

When you use service account impersonation, you start with an authenticated principal (your user account or a service account) and request short-lived credentials for a service account that has the authorization that your use case requires.

It is more secure than downloading a service account key for the target service account, as you don't need to hold the credentials in the file system or even in memory.

Write the example in a function that receives the service account identifier as an input parameter. This can be the service account email or the unique numeric Google-assigned identifier of the service account.

/// # Parameters
/// * `target_principal`: the email or unique id of the target service account.
///   For example: `my-service-account@my-project.iam.gserviceaccount.com`.
pub async fn sample(target_principal: &str) -> anyhow::Result<()> {