doc: update documentation to point to security best practice (#14942)

cuiy0006 · web-flow · commit 6af16134c117 · 2025-01-22T17:45:42.000-05:00
diff --git a/google/cloud/credentials.h b/google/cloud/credentials.h
@@ -119,6 +119,14 @@ std::shared_ptr<Credentials> MakeInsecureCredentials(Options opts = {});
  *   service account key file, or a JSON object describing your user
  *   credentials.
  *
+ * @warning If you accept a credential configuration (credential
+ * JSON/File/Stream) from an external source for authentication to Google Cloud
+ * Platform, you must validate it before providing it to any Google API or
+ * client library. Providing an unvalidated credential configuration to Google
+ * APIs can compromise the security of your systems and data. For more
+ * information, refer to
+ * https://cloud.google.com/docs/authentication/external/externally-sourced-credentials.
+ *
  * @see https://cloud.google.com/docs/authentication for more information on
  *     authentication in GCP.
  *
@@ -265,6 +273,14 @@ std::shared_ptr<Credentials> MakeServiceAccountCredentials(
  * identity provider that supports OpenID Connect (OIDC), such as Microsoft
  * Azure, or SAML 2.0.
  *
+ * @warning If you accept a credential configuration (credential
+ * JSON/File/Stream) from an external source for authentication to Google Cloud
+ * Platform, you must validate it before providing it to any Google API or
+ * client library. Providing an unvalidated credential configuration to Google
+ * APIs can compromise the security of your systems and data. For more
+ * information, refer to
+ * https://cloud.google.com/docs/authentication/external/externally-sourced-credentials.
+ *
  * @see https://cloud.google.com/docs/authentication for more information on
  *     authentication in GCP.
  *
diff --git a/google/cloud/doc/guac.dox b/google/cloud/doc/guac.dox
@@ -89,12 +89,19 @@ considered implementation details. If you would like to use them in your
 own libraries please file a [feature request]. We cannot promise that we will
 be able to satisfy these requests, but we will give them full consideration.
 
+**Important**: If you accept a credential configuration (credential JSON/File/Stream)
+from an external source for authentication to Google Cloud Platform, you must
+validate it before providing it to any Google API or client library. Providing
+an unvalidated credential configuration to Google APIs can compromise the security
+of your systems and data. For more information, refer to [externally sourced credentials].
+
 [principal-overview]: https://cloud.google.com/iam/docs/overview#how_cloud_iam_works
 [Authentication at Google]: https://cloud.google.com/docs/authentication
 [IAM overview]: https://cloud.google.com/iam/docs/overview
 [Application Default Credentials]: https://cloud.google.com/docs/authentication/application-default-credentials
 [Oauth2]: https://oauth.net/2/
 [service account keyfile]: https://cloud.google.com/iam/docs/creating-managing-service-account-keys
 [feature request]: https://github.com/googleapis/google-cloud-cpp/issues
+[externally sourced credentials]: (https://cloud.google.com/docs/authentication/external/externally-sourced-credentials)
 
 */
