Add service_account_credentials for Google Cloud and Drive

backend/drive/drive.go

@@ -446,12 +446,8 @@ func newPacer() *pacer.Pacer {
 	return pacer.New().SetMinSleep(minSleep).SetPacer(pacer.GoogleDrivePacer)
 }
 
-func getServiceAccountClient(keyJsonfilePath string) (*http.Client, error) {
+func getServiceAccountClient(credentialsData []byte) (*http.Client, error) {
-	data, err := ioutil.ReadFile(os.ExpandEnv(keyJsonfilePath))
+	conf, err := google.JWTConfigFromJSON(credentialsData, driveConfig.Scopes...)
-	if err != nil {
-		return nil, errors.Wrap(err, "error opening credentials file")
-	}
-	conf, err := google.JWTConfigFromJSON(data, driveConfig.Scopes...)
 	if err != nil {
 		return nil, errors.Wrap(err, "error processing credentials")
 	}
@@ -466,9 +462,18 @@ func createOAuthClient(name string) (*http.Client, error) {
 	var oAuthClient *http.Client
 	var err error
 
-	serviceAccountPath := config.FileGet(name, "service_account_file")
+	// try loading service account credentials from env variable, then from a file
-	if serviceAccountPath != "" {
+	serviceAccountCreds := []byte(config.FileGet(name, "service_account_credentials"))
-		oAuthClient, err = getServiceAccountClient(serviceAccountPath)
+	if len(serviceAccountCreds) == 0 {
+		serviceAccountPath := config.FileGet(name, "service_account_file")
+		loadedCreds, err := ioutil.ReadFile(os.ExpandEnv(serviceAccountPath))
+		if err != nil {
+			return nil, errors.Wrap(err, "error opening service account credentials file")
+		}
+		serviceAccountCreds = loadedCreds
+	}
+	if len(serviceAccountCreds) > 0 {
+		oAuthClient, err = getServiceAccountClient(serviceAccountCreds)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to create oauth client from service account")
 		}

backend/googlecloudstorage/googlecloudstorage.go

@@ -277,12 +277,8 @@ func parsePath(path string) (bucket, directory string, err error) {
 	return
 }
 
-func getServiceAccountClient(keyJsonfilePath string) (*http.Client, error) {
+func getServiceAccountClient(credentialsData []byte) (*http.Client, error) {
-	data, err := ioutil.ReadFile(os.ExpandEnv(keyJsonfilePath))
+	conf, err := google.JWTConfigFromJSON(credentialsData, storageConfig.Scopes...)
-	if err != nil {
-		return nil, errors.Wrap(err, "error opening credentials file")
-	}
-	conf, err := google.JWTConfigFromJSON(data, storageConfig.Scopes...)
 	if err != nil {
 		return nil, errors.Wrap(err, "error processing credentials")
 	}
@@ -295,16 +291,25 @@ func NewFs(name, root string) (fs.Fs, error) {
 	var oAuthClient *http.Client
 	var err error
 
-	serviceAccountPath := config.FileGet(name, "service_account_file")
+	// try loading service account credentials from env variable, then from a file
-	if serviceAccountPath != "" {
+	serviceAccountCreds := []byte(config.FileGet(name, "service_account_credentials"))
-		oAuthClient, err = getServiceAccountClient(serviceAccountPath)
+	if len(serviceAccountCreds) == 0 {
+		serviceAccountPath := config.FileGet(name, "service_account_file")
+		loadedCreds, err := ioutil.ReadFile(os.ExpandEnv(serviceAccountPath))
 		if err != nil {
-			log.Fatalf("Failed configuring Google Cloud Storage Service Account: %v", err)
+			return nil, errors.Wrap(err, "error opening service account credentials file")
+		}
+		serviceAccountCreds = loadedCreds
+	}
+	if len(serviceAccountCreds) > 0 {
+		oAuthClient, err = getServiceAccountClient(serviceAccountCreds)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed configuring Google Cloud Storage Service Account")
 		}
 	} else {
 		oAuthClient, _, err = oauthutil.NewClient(name, storageConfig)
 		if err != nil {
-			log.Fatalf("Failed to configure Google Cloud Storage: %v", err)
+			return nil, errors.Wrap(err, "failed to configure Google Cloud Storage")
 		}
 	}
 

docs/content/drive.md

@@ -202,7 +202,10 @@ actively logged-in users, for example build machines.
 To use a Service Account instead of OAuth2 token flow, enter the path
 to your Service Account credentials at the `service_account_file`
 prompt during `rclone config` and rclone won't use the browser based
-authentication flow.
+authentication flow. If you'd rather stuff the contents of the
+credentials file into the rclone config file, you can set
+`service_account_credentials` with the actual contents of the file
+instead, or set the equivalent environment variable.
 
 #### Use case - Google Apps/G-suite account and individual Drive ####
 

docs/content/googlecloudstorage.md

@@ -212,7 +212,10 @@ are what rclone will use for authentication.
 To use a Service Account instead of OAuth2 token flow, enter the path
 to your Service Account credentials at the `service_account_file`
 prompt and rclone won't use the browser based authentication
-flow.
+flow. If you'd rather stuff the contents of the credentials file into
+the rclone config file, you can set `service_account_credentials` with
+the actual contents of the file instead, or set the equivalent
+environment variable.
 
 ### --fast-list ###