refactor(auth): use CLI-based authentication for GCE and Azure (#419)

- GCE: Replace JSON keyfile auth with Application Default Credentials (ADC)
- Azure: Remove unused authFile parameter from NewAzure()
- Update golangci-lint config to v2 format
- Document breaking changes in README

Signed-off-by: Engin Diri <engin.diri@ediri.de>

Author: dirien

.golangci.yaml

@@ -1,24 +1,28 @@
+version: "2"
+
 linters:
   enable:
     - thelper
-    - gofumpt
     - tparallel
     - unconvert
     - unparam
     - wastedassign
     - revive
     - forbidigo
     - tagliatelle
-    - typecheck
     - goconst
     - gocritic
     - gocyclo
     - govet
     - errcheck
     - gosec
-    - goimports
     - nolintlint
 
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+
 linters-settings:
   forbidigo:
     forbid:

README.md

@@ -9,6 +9,19 @@ SDK for every minectl product
 
 ## Breaking changes
 
+### v0.9.0
+
+- **GCE**: Refactored authentication to use Application Default Credentials (ADC) instead of JSON keyfile.
+  - `NewGCE(keyfile, zone string)` changed to `NewGCE(zone string)`
+  - `GCE_KEY` environment variable is no longer used
+  - New required environment variables: `GOOGLE_PROJECT` and `GOOGLE_SERVICE_ACCOUNT_EMAIL`
+  - Optional: `GOOGLE_APPLICATION_CREDENTIALS` for service account JSON (if not using `gcloud auth application-default login`)
+
+- **Azure**: Removed unused `authFile` parameter from `NewAzure()` function.
+  - `NewAzure(authFile string)` changed to `NewAzure()`
+  - `AZURE_AUTH_LOCATION` environment variable is no longer used
+  - No changes needed if already using `AZURE_SUBSCRIPTION_ID` with `az login`
+
 ### v0.8.0
 
 - Rename `Linode` to `Akamai Connected Cloud` and all related files. See this [blog post](https://www.linode.com/blog/linode/a-bold-new-approach-to-the-cloud/) for more information.

cloud/azure/azure.go

@@ -27,7 +27,17 @@ type Azure struct {
 	tmpl           *minctlTemplate.Template
 }
 
-func NewAzure(authFile string) (*Azure, error) {
+// NewAzure creates a new Azure instance using DefaultAzureCredential.
+// Authentication is handled automatically via the Azure credential chain:
+// 1. Environment variables (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET)
+// 2. Managed identity (when running on Azure)
+// 3. Azure CLI authentication (az login)
+// 4. Azure PowerShell authentication
+// 5. Azure Developer CLI authentication
+//
+// Required environment variables:
+// - AZURE_SUBSCRIPTION_ID: The Azure subscription ID
+func NewAzure() (*Azure, error) {
 	cred, err := azidentity.NewDefaultAzureCredential(nil)
 	if err != nil {
 		return nil, err

cloud/gce/gce.go

@@ -2,7 +2,6 @@ package gce
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -16,6 +15,7 @@ import (
 	minctlTemplate "github.com/dirien/minectl-sdk/template"
 	"github.com/dirien/minectl-sdk/update"
 	"github.com/pkg/errors"
+	"golang.org/x/oauth2/google"
 	"google.golang.org/api/compute/v1"
 	"google.golang.org/api/googleapi"
 	"google.golang.org/api/option"
@@ -40,35 +40,67 @@ type GCE struct {
 	tmpl               *minctlTemplate.Template
 }
 
-func NewGCE(keyfile, zone string) (*GCE, error) {
-	file, err := os.ReadFile(keyfile)
-	if err != nil {
-		return nil, err
+// NewGCE creates a new GCE instance using Application Default Credentials (ADC).
+// Authentication is handled automatically via the standard Google credential chain:
+// 1. GOOGLE_APPLICATION_CREDENTIALS environment variable (path to service account JSON)
+// 2. gcloud CLI authentication (gcloud auth application-default login)
+// 3. GCE metadata service (when running on Google Cloud)
+//
+// Required environment variables:
+// - GOOGLE_PROJECT: The GCP project ID
+// - GOOGLE_SERVICE_ACCOUNT_EMAIL: The service account email (for OS Login SSH access)
+//
+// Optional:
+// - GOOGLE_APPLICATION_CREDENTIALS: Path to service account JSON (if not using gcloud CLI auth)
+func NewGCE(zone string) (*GCE, error) {
+	ctx := context.Background()
+
+	// Get project ID from environment
+	projectID := os.Getenv("GOOGLE_PROJECT")
+	if projectID == "" {
+		return nil, errors.New("GOOGLE_PROJECT environment variable is required")
 	}
-	var cred Credentials
-	err = json.Unmarshal(file, &cred)
+
+	// Get service account email from environment (required for OS Login)
+	serviceAccountEmail := os.Getenv("GOOGLE_SERVICE_ACCOUNT_EMAIL")
+	if serviceAccountEmail == "" {
+		return nil, errors.New("GOOGLE_SERVICE_ACCOUNT_EMAIL environment variable is required")
+	}
+
+	// Use Application Default Credentials
+	// This supports:
+	// - GOOGLE_APPLICATION_CREDENTIALS env var pointing to service account JSON
+	// - gcloud auth application-default login
+	// - GCE metadata service
+	creds, err := google.FindDefaultCredentials(ctx, compute.ComputeScope, oslogin.ComputeScope)
 	if err != nil {
-		return nil, err
+		return nil, errors.Wrap(err, "failed to find default credentials. Run 'gcloud auth application-default login' or set GOOGLE_APPLICATION_CREDENTIALS")
 	}
-	computeService, err := compute.NewService(context.Background(), option.WithCredentialsJSON(file))
+
+	computeService, err := compute.NewService(ctx, option.WithCredentials(creds))
 	if err != nil {
-		return nil, err
+		return nil, errors.Wrap(err, "failed to create compute service")
 	}
 
-	userService, err := oslogin.NewService(context.Background(), option.WithCredentialsJSON(file))
+	userService, err := oslogin.NewService(ctx, option.WithCredentials(creds))
 	if err != nil {
-		return nil, err
+		return nil, errors.Wrap(err, "failed to create oslogin service")
 	}
+
 	tmpl, err := minctlTemplate.NewTemplateBash()
 	if err != nil {
 		return nil, err
 	}
+
+	// Extract service account ID from email (the part before @)
+	serviceAccountID := strings.Split(serviceAccountEmail, "@")[0]
+
 	return &GCE{
 		client:             computeService,
-		projectID:          cred.ProjectID,
+		projectID:          projectID,
 		user:               userService,
-		serviceAccountName: cred.ClientEmail,
-		serviceAccountID:   cred.ClientID,
+		serviceAccountName: serviceAccountEmail,
+		serviceAccountID:   serviceAccountID,
 		zone:               zone,
 		tmpl:               tmpl,
 	}, nil