Expanded auth docs (GoogleCloudPlatform#265)

This is a follow-up to GoogleCloudPlatform#250 to document the new functionality
modular-magician · Jul 23, 2021 · 9825fbf · 9825fbf
1 parent 432945d
commit 9825fbf
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/docs/user_guide.md b/docs/user_guide.md
@@ -13,13 +13,24 @@ terraform show -json ./tfplan.tfplan > ./tfplan.json
 
 ## Auth
 
-The `terraform` and `terraform-validator` commands need to be able to authenticate to Google Cloud APIs. This can be done by [generating a `credentials.json` file](https://cloud.google.com/docs/authentication/production). For local development, you can generate application default credentials. For production, use service account credentials instead.
+`terraform-validator` supports the same environment variables for authentication used by the [`google` provider for terraform](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication).
 
-Once you have a credentials file on your local machine, set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to point to the credentials file.
+In particular, you can use the following environment variables (in order of precedence) to provide a [service account key file](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#full-reference):
+
+
+- `GOOGLE_CREDENTIALS`
+- `GOOGLE_CLOUD_KEYFILE_JSON`
+- `GOOGLE_KEYFILE_JSON`
+
+Using Terraform-Validator-specific [service accounts](https://cloud.google.com/docs/authentication/getting-started) is the recommended practice when using Terraform Validator.
+
+You can also authenticate using an [OAuth 2.0 access token](https://developers.google.com/identity/protocols/OAuth2), which can be provided via the `GOOGLE_OAUTH_ACCESS_TOKEN` environment variable.
+
+For local development, you can also use [Google Application Default Credentials](https://cloud.google.com/docs/authentication/production) by providing the path to your application default credentials file via the `GOOGLE_APPLICATION_CREDENTIALS` environment variable.
 
 ```
 gcloud auth application-default login  # local development only
-GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/application_default_credentials.json  # or path to service account credentials
+GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/application_default_credentials.json
 ```
 
 ## `terraform-validator validate`