File, Config or Environment Variable?

Asking ChatGPT Led me to https://console.cloud.google.com/iam-admin/serviceaccounts/details/YOUR_...

And the info I was missing:

4. Create JSON Key
• Click the service account you just created.
• Go to the “Keys” tab.
• Click Add Key > Create New Key
• Select JSON
• Click Create

A .json file (not .key) will download — this is the “key file” Drupal is asking for.

It was there in my download file, I just hadn't noticed it.

The other missing detail here is that it needs to be added with the key provider "Configuration" (not File!) which was a bit confusing.

I see 2 parts here:
1. Although Vertex authentication should be done via JSON file, keys of type "File" do not work. This is a bug that is easily fixable in VertexProvider::getAccessToken() - which should try to unserialize the key before creating ServiceAccountCredentials
2. (working) keys of type environment/configuration should be documented better. This part specifically?

Could explain that the key should be in fact the path to the JSON file (which is a bit controversial)

What if, to avoid confusion, we limit selection of keys in provider form to only file-based? Suggested MR does just that, and changes a little description of the key select to

Choose an available key. If the desired key is not listed, create a new key. Important: Key must use "File" provider and point to the JSON credentials file. Read more at https://cloud.google.com/docs/authentication/application-default-credent....

One thing to decide is whether we need an update hook to switch from config/environment key to file based for existing installations.

I added hook_update_N() just in case

Thanks @valthebald just scanned the code. Looks good to me. I'll try to test the patch.

I'll go on and merge this

Thanks.. Sorry I didn't get to looking at reviewing the code in my sandbox. I appreciate this fix.

Automatically closed - issue fixed for 2 weeks with no activity.