Update documentation for GCP Secret Manager and Object Store support of implicit authentication (#4592)

antontroshin · msfussell · web-flow · commit aa7a1155d01e · 2025-04-13T20:51:58.000+01:00
Signed-off-by: Anton Troshin &lt;anton@diagrid.io&gt;
Co-authored-by: Mark Fussell &lt;markfussell@gmail.com&gt;
diff --git a/daprdocs/content/en/reference/components-reference/supported-bindings/gcpbucket.md b/daprdocs/content/en/reference/components-reference/supported-bindings/gcpbucket.md
@@ -58,19 +58,24 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 | Field              | Required | Binding support |  Details | Example |
 |--------------------|:--------:|------------|-----|---------|
 | `bucket` | Y | Output | The bucket name | `"mybucket"` |
-| `type` | Y | Output | Tge GCP credentials type | `"service_account"` |
-| `project_id`     | Y | Output | GCP project id| `projectId`
-| `private_key_id` | Y | Output | GCP private key id | `"privateKeyId"`
-| `private_key`    | Y | Output | GCP credentials private key. Replace with x509 cert | `12345-12345`
-| `client_email`   | Y | Output | GCP client email  | `"client@email.com"`
-| `client_id`      | Y |  Output | GCP client id | `0123456789-0123456789`
-| `auth_uri`       | Y | Output | Google account OAuth endpoint | `https://accounts.google.com/o/oauth2/auth`
-| `token_uri`      | Y | Output | Google account token uri | `https://oauth2.googleapis.com/token`
-| `auth_provider_x509_cert_url` | Y | Output | GCP credentials cert url | `https://www.googleapis.com/oauth2/v1/certs`
-| `client_x509_cert_url` | Y | Output | GCP credentials project x509 cert url | `https://www.googleapis.com/robot/v1/metadata/x509/<PROJECT_NAME>.iam.gserviceaccount.com`
+| `project_id`     | Y | Output | GCP project ID | `projectId` |
+| `type` | N | Output | The GCP credentials type | `"service_account"` |
+| `private_key_id` | N | Output | If using explicit credentials, this field should contain the `private_key_id` field from the service account json document | `"privateKeyId"` |
+| `private_key`    | N | Output | If using explicit credentials, this field should contain the `private_key` field from the service account json. Replace with x509 cert | `12345-12345` |
+| `client_email`   | N | Output | If using explicit credentials, this field should contain the `client_email` field from the service account json  | `"client@email.com"` |
+| `client_id`      | N |  Output | If using explicit credentials, this field should contain the `client_id` field from the service account json | `0123456789-0123456789` |
+| `auth_uri`       | N | Output | If using explicit credentials, this field should contain the `auth_uri` field from the service account json | `https://accounts.google.com/o/oauth2/auth` |
+| `token_uri`      | N | Output | If using explicit credentials, this field should contain the `token_uri` field from the service account json | `https://oauth2.googleapis.com/token`|
+| `auth_provider_x509_cert_url` | N | Output | If using explicit credentials, this field should contain the `auth_provider_x509_cert_url` field from the service account json | `https://www.googleapis.com/oauth2/v1/certs`|
+| `client_x509_cert_url` | N | Output | If using explicit credentials, this field should contain the `client_x509_cert_url` field from the service account json | `https://www.googleapis.com/robot/v1/metadata/x509/<PROJECT_NAME>.iam.gserviceaccount.com`|
 | `decodeBase64` | N | Output | Configuration to decode base64 file content before saving to bucket storage. (In case of saving a file with binary content). `true` is the only allowed positive value. Other positive variations like `"True", "1"` are not acceptable. Defaults to `false` | `true`, `false` |
 | `encodeBase64` | N | Output | Configuration to encode base64 file content before return the content. (In case of opening a file with binary content). `true` is the only allowed positive value. Other positive variations like `"True", "1"` are not acceptable. Defaults to `false` | `true`, `false` |
 
+## GCP Credentials
+
+Since the GCP Storage Bucket component uses the GCP Go Client Libraries, by default it authenticates using **Application Default Credentials**. This is explained further in the [Authenticate to GCP Cloud services using client libraries](https://cloud.google.com/docs/authentication/client-libraries) guide.
+Also, see how to [Set up Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc).
+
 ## Binding support
 
 This component supports **output binding** with the following operations:
diff --git a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-gcp-pubsub.md b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-gcp-pubsub.md
@@ -76,7 +76,7 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 
 | Field              | Required | Details | Example |
 |--------------------|:--------:|---------|---------|
-| projectId     | Y | GCP project id| `myproject-123`
+| projectId     | Y | GCP project ID | `myproject-123`
 | endpoint       | N  | GCP endpoint for the component to use. Only used for local development (for example) with [GCP Pub/Sub Emulator](https://cloud.google.com/pubsub/docs/emulator). The `endpoint` is unnecessary when running against the GCP production API. | `"http://localhost:8085"`
 | `consumerID`         | N        | The Consumer ID organizes one or more consumers into a group. Consumers with the same consumer ID work as one virtual consumer; for example, a message is processed only once by one of the consumers in the group. If the `consumerID` is not provided, the Dapr runtime set it to the Dapr application ID (`appID`) value. The `consumerID`, along with the `topic` provided as part of the request, are used to build the Pub/Sub subscription ID | Can be set to string value (such as `"channel1"`) or string format value (such as `"{podName}"`, etc.). [See all of template tags you can use in your component metadata.]({{< ref "component-schema.md#templated-metadata-values" >}})
 | identityProjectId | N | If the GCP pubsub project is different from the identity project, specify the identity project using this attribute  | `"myproject-123"`
diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/gcp-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/gcp-secret-manager.md
@@ -50,16 +50,22 @@ The above example uses secrets as plain strings. It is recommended to use a loca
 
 | Field              | Required | Details                        | Example             |
 |--------------------|:--------:|--------------------------------|---------------------|
-| type               | Y        | The type of the account.   | `"service_account"` |
-| project_id         | Y        | The project ID associated with this component. | `"project_id"` |
-| private_key_id     | N        | The private key ID  | `"privatekey"` |
-| client_email       | Y        | The client email address | `"client@example.com"` |
-| client_id          | N        | The ID of the client     | `"11111111"` |
-| auth_uri           | N        | The authentication URI   | `"https://accounts.google.com/o/oauth2/auth"` |
-| token_uri          | N        | The authentication token URI | `"https://oauth2.googleapis.com/token"` |
-| auth_provider_x509_cert_url | N | The certificate URL for the auth provider | `"https://www.googleapis.com/oauth2/v1/certs"` |
-| client_x509_cert_url | N | The certificate URL for the client | `"https://www.googleapis.com/robot/v1/metadata/x509/<project-name>.iam.gserviceaccount.com"`|
-| private_key | Y | The private key for authentication | `"privateKey"` |
+| `project_id`         | Y        | The project ID associated with this component. | `"project_id"` |
+| `type`              | N        | The type of the account.   | `"service_account"` |
+| `private_key_id` | N | If using explicit credentials, this field should contain the `private_key_id` field from the service account json document | `"privateKeyId"`|
+| `private_key`    | N | If using explicit credentials, this field should contain the `private_key` field from the service account json. Replace with x509 cert | `12345-12345`|
+| `client_email`   | N | If using explicit credentials, this field should contain the `client_email` field from the service account json  | `"client@email.com"`|
+| `client_id`      | N | If using explicit credentials, this field should contain the `client_id` field from the service account json | `0123456789-0123456789`|
+| `auth_uri`       | N | If using explicit credentials, this field should contain the `auth_uri` field from the service account json | `https://accounts.google.com/o/oauth2/auth`|
+| `token_uri`      | N | If using explicit credentials, this field should contain the `token_uri` field from the service account json | `https://oauth2.googleapis.com/token`|
+| `auth_provider_x509_cert_url` | N | If using explicit credentials, this field should contain the `auth_provider_x509_cert_url` field from the service account json | `https://www.googleapis.com/oauth2/v1/certs`|
+| `client_x509_cert_url` | N | If using explicit credentials, this field should contain the `client_x509_cert_url` field from the service account json | `https://www.googleapis.com/robot/v1/metadata/x509/<PROJECT_NAME>.iam.gserviceaccount.com`|
+
+
+## GCP Credentials
+
+Since the GCP Secret Manager component uses the GCP Go Client Libraries, by default it authenticates using **Application Default Credentials**. This is explained further in the [Authenticate to GCP Cloud services using client libraries](https://cloud.google.com/docs/authentication/client-libraries) guide.
+Also, see how to [Set up Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc).
 
 ## Optional per-request metadata properties
 
