Google Cloud's IAM allows you to activate/deactivate service account keys, so you can safely deactivate and remove a key once you're sure it hasn't broken anything in your systems. In my case, I'm working on a project that implements an API that allows our clients to provision repositories in Google Artifact Registry automatically, and handle their credentials (service accounts and keys). The service is implemented in go and we are using the GCP API clients for golang to interact with the GCP services. The problem I'm facing is that the cloud.google.com/go/iam/admin/apiv1.IamClient
we're using for interacting with the IAM service, doesn't exposes the methods for activating/deactivating keys, but the cloud.google.com/go/iam/admin/apiv1/adminpb.IAMClient
which it internally uses (see the constructor below) does have them, so I don't really understand the reason for this and I don't know what should I do. Should I use cloud.google.com/go/iam/admin/apiv1/adminpb.IAMClient
just for the keys activating/deactivating operations or use it for everything and get rid of the dependency of cloud.google.com/go/iam/admin/apiv1.IamClient
in my code base?
Here you can see the constructor function for cloud.google.com/go/iam/admin/apiv1.IamClient
:
func NewIamClient(ctx context.Context, opts ...option.ClientOption) (*IamClient, error) {
connPool, err := gtransport.DialPool(ctx, append(defaultIamClientOptions(), opts...)...)
if err != nil {
return nil, err
}
c := &IamClient{
connPool: connPool,
CallOptions: defaultIamCallOptions(),
iamClient: adminpb.NewIAMClient(connPool),
}
c.setGoogleClientInfo()
return c, nil
}
I guess I could replicate this code my self and directly use cloud.google.com/go/iam/admin/apiv1/adminpb.IAMClient
as per my convenience. Do you see any issue on that approach? Can you suggest me a better one? Maybe a different API client I'm not aware of...
By the way, I'm following these docs and using the go clients from cloud.google.com
. I'm using the libraries from clould.google.com
instead of those from google.golang.org
for historical reasons (they were already using those libraries when I joined the project), but it would be also nice to know why should I use ones over the others because I don't quite understand the difference between them.