googleapis · coryan · Oct 30, 2023 · Oct 29, 2023 · Oct 30, 2023 · Oct 30, 2023
@@ -306,16 +306,37 @@ struct AccessTokenLifetimeOption {
  * Configures a custom CA (Certificates Authority) certificates file.
  *
  * Most applications should use the system's root certificates and should avoid
- * setting this option unnecessarily. A common exception to this recommendation
- * are containerized applications. These often deploy without system's root
- * certificates and need to explicitly configure a root of trust.
+ * setting this option unnecessarily.
  *
  * The value of this option should be the name of a file in [PEM format].
  * Consult your security team and/or system administrator for the contents of
  * this file. Be aware of the security implications of adding new CA
  * certificates to this file. Only use trustworthy sources for the CA
  * certificates.
  *
+ * The most common cases where this option is needed include:
+ *
+ * - Containerized applications that deploy without the system's root
+ *   certificates and need to explicitly configure a root of trust.
+ * - Applications using gRPC-based services on Windows and macOS, where gRPC
+ *   does not use the default root of trust. Though it might be possible to
+ *   set the `GRPC_DEFAULT_SSL_ROOTS_FILE_PATH` environment variable instead.
+ *
+ * You should set this option both in the credentials and the client options.
+ * For example:
+ * @code
+ * using gc = ::google::cloud;
+ * auto ca = gc::Options{}.set<gc::CARootsFilePathOption>("path/to/roots.pem");
+ * auto credentials = gc::MakeServiceAccountCredentials(..., ca);
+ * // Make a copy, only needed if you plan to use `ca` again.
+ * auto opts = ca;
+ * // Using bigtable to illustrate the option usage, this applies to all
+ * // libraries in `google-cloud-cpp`.
+ * auto connection = gc::bigtable::MakeDataConnection(
+ *     opts.set<gc::UnifiedCredentialsOption>(credentials));
+ * // Use `connection` as usual.
+ * @endcode
+ *
  * For REST-based libraries this configures the [CAINFO option] in libcurl.
  * These are used for all credentials that require authentication, including the
  * default credentials.
@@ -325,8 +346,7 @@ struct AccessTokenLifetimeOption {
  *
  * @warning gRPC does not have a programmatic mechanism to set the CA
  *     certificates for the default credentials. This option only has no effect
- *     with `MakeGoogleDefaultCredentials()`, or
- *     `MakeServiceAccountCredentials()`.
+ *     with `MakeGoogleDefaultCredentials()`.
  *     Consider using the `GRPC_DEFAULT_SSL_ROOTS_FILE_PATH` environment
  *     variable in these cases.
  *

@@ -28,8 +28,7 @@ GrpcServiceAccountAuthentication::GrpcServiceAccountAuthentication(
 
 std::shared_ptr<grpc::Channel> GrpcServiceAccountAuthentication::CreateChannel(
     std::string const& endpoint, grpc::ChannelArguments const& arguments) {
-  // TODO(#6311) - support setting SSL options
-  auto credentials = grpc::SslCredentials(grpc::SslCredentialsOptions{});
+  auto credentials = grpc::SslCredentials(ssl_options_);
   return grpc::CreateCustomChannel(endpoint, credentials, arguments);
 }
 

@@ -89,9 +89,12 @@ std::shared_ptr<GrpcAuthenticationStrategy> CreateAuthenticationStrategy(
           cfg.json_object(), std::move(options));
     }
     void visit(ExternalAccountConfig const& cfg) override {
+      grpc::SslCredentialsOptions ssl_options;
+      auto cainfo = LoadCAInfo(options);
+      if (cainfo) ssl_options.pem_root_certs = std::move(*cainfo);
       result = std::make_unique<GrpcChannelCredentialsAuthentication>(
           grpc::CompositeChannelCredentials(
-              grpc::SslCredentials(grpc::SslCredentialsOptions()),
+              grpc::SslCredentials(ssl_options),
               GrpcExternalAccountCredentials(cfg)));
     }
   } visitor(std::move(cq), std::move(options));

@@ -31,7 +31,7 @@ class TempFile {
 
   ~TempFile();
 
-  std::string name() { return name_; }
+  std::string name() const { return name_; }
 
  private:
   std::string name_;