docs: Update README with client-side CAB instructions #1607
Conversation
This commit updates the README file to include instructions for setting up and using the client-side CAB feature.
README.md
Outdated
| There are two ways to generate downscoped tokens using a | ||
| CredentialAccessBoundary: |
There was a problem hiding this comment.
nit: If possible, could there be like a table or a pro/ cons comparison between the two that explicitly spells out what any considerations/ impacts of one vs the other?
Also, is there a need for something like a migration guide? To help users potentially migrate from server-side to client-side?
There was a problem hiding this comment.
Also, is there an general recommendation that that your team would provide between the two. I know it's possible that may not be a recommendation.
i.e. Prefer client-side unless ... X,Y,Z blocker?
There was a problem hiding this comment.
Checked with the team, we don't have a general recommendation, or a migration guide. Depending on their use case, and whether or not they need many unique downscoped tokens or they can re-use existing ones, they can decide between the two optiosn.
There was a problem hiding this comment.
Ok, that's fine that there is no recommendation. To clarify my above messages, I think the wording below makes it seem like there is almost no reason not to choose client-side CAB.
From a new user's perspective: Client side minimizes the amount of calls to STS when rules change frequently. If my rules don't even change that frequent, I can imagine that there would be even less calls to STS and making it even more efficient.
My point is that I think from a new user perspective, I don't know when/ why I would consider server-side CAB. All I see if pros for client-side over server-side.
|
I also just noticed this here: google-auth-library-java/README.md Line 10 in 8e59c59 I think we can update this to reflect this latest module. |
Ah good catch! I just realized that all the cab stuff are under |
|
Oh @nbayati I see this is to the client-side-cab branch and not to main. I think we'll need to raise another PR to main |
* docs: Update README with client-side CAB instructions This commit updates the README file to include instructions for setting up and using the client-side CAB feature. * chore: readme file wording updated based on comments feedback. * Update readme: Mention CAB rule changes and its effect on server vs client side token generation. * Link to wikipedia page for Principle of the Least Privilege concept. * chore: fix spacing. * Add a section for google-auth-library-cab-token-generator
* docs: Update README with client-side CAB instructions This commit updates the README file to include instructions for setting up and using the client-side CAB feature. * chore: readme file wording updated based on comments feedback. * Update readme: Mention CAB rule changes and its effect on server vs client side token generation. * Link to wikipedia page for Principle of the Least Privilege concept. * chore: fix spacing. * Add a section for google-auth-library-cab-token-generator
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.http-client:google-http-client-jackson2](https://github.com/googleapis/google-http-java-client) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.46.0` -> `1.46.1` | | [com.google.http-client:google-http-client](https://github.com/googleapis/google-http-java-client) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.46.0` -> `1.46.1` | | [com.google.auth:google-auth-library-oauth2-http](https://github.com/googleapis/google-auth-library-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.32.0` -> `1.32.1` | | [com.google.auth:google-auth-library-credentials](https://github.com/googleapis/google-auth-library-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.32.0` -> `1.32.1` | | [com.autonomousapps.dependency-analysis](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin) | plugin | misk/gradle/libs.versions.toml | gradle | patch | `2.8.0` -> `2.8.1` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | --- ### Release Notes <details> <summary>googleapis/google-http-java-client (com.google.http-client:google-http-client-jackson2)</summary> ### [`v1.46.1`](https://github.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#1461-2025-02-07) ##### Bug Fixes - Remove unnecessary nexus plugin activation ([#​2071](googleapis/google-http-java-client#2071)) ([e3a3523](googleapis/google-http-java-client@e3a3523)) ##### Dependencies - Revert dependency io.grpc:grpc-context back to v1.69.0 ([5790ac4](googleapis/google-http-java-client@5790ac4)) </details> <details> <summary>googleapis/google-auth-library-java (com.google.auth:google-auth-library-oauth2-http)</summary> ### [`v1.32.1`](https://github.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1321-2025-02-07) ##### Bug Fixes - Add cab-token-generator module to Auth BOM ([#​1662](googleapis/google-auth-library-java#1662)) ([e409b02](googleapis/google-auth-library-java@e409b02)) - Remove unnecessary nexus-staging-maven-plugin activation ([#​1665](googleapis/google-auth-library-java#1665)) ([d138023](googleapis/google-auth-library-java@d138023)) ##### Dependencies - Update dependency com.google.http-client:google-http-client-bom to v1.46.0 ([e53c441](googleapis/google-auth-library-java@e53c441)) ##### Documentation - Update README with client-side CAB instructions ([#​1607](googleapis/google-auth-library-java#1607)) ([#​1666](googleapis/google-auth-library-java#1666)) ([2996297](googleapis/google-auth-library-java@2996297)) </details> <details> <summary>autonomousapps/dependency-analysis-android-gradle-plugin (com.autonomousapps.dependency-analysis)</summary> ### [`v2.8.1`](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin/blob/HEAD/CHANGELOG.md#Version-281) - \[Fix]: cache `SuperClassGraph`. No need to recompute for each dependency. - \[Fix]: use less heap by using empty singleton collections. - \[Fix]: trade metaspace for heap by interning strings. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: c26ab17091cb359fb631e73c0754aab31e09f98e
This commit updates the README file to include instructions for setting up and using the client-side CAB feature.
Design doc: go/client-side-cab-client-library-java