get_quota_project() does not respect GOOGLE_CLOUD_QUOTA_PROJECT env var #261
Description
Problem
get_quota_project() in src/auth.rs reads quota_project_id exclusively from ADC files (GOOGLE_APPLICATION_CREDENTIALS or ~/.config/gcloud/application_default_credentials.json). It does not check the GOOGLE_CLOUD_QUOTA_PROJECT environment variable.
This is inconsistent with all official Google client libraries (Python, Go, Java, Node.js, C#), which support GOOGLE_CLOUD_QUOTA_PROJECT as a standard override with higher priority than the credentials file. See Google's documentation on setting the quota project.
Impact
When gws is embedded in a third-party tool that provides its own OAuth token via GOOGLE_WORKSPACE_CLI_TOKEN, the x-goog-user-project header is still read from the user's local ADC file. If the user has gcloud configured for a different GCP project (common for developers working on their own GCP projects), API calls fail with errors like:
Gmail API has not been used in project <wrong-project> before or it is disabled.
There is no way to override this without modifying the user's ADC file.
Expected Behavior
get_quota_project() should check GOOGLE_CLOUD_QUOTA_PROJECT first, consistent with the precedence defined by Google:
- Programmatic (client option)
GOOGLE_CLOUD_QUOTA_PROJECTenvironment variablequota_project_idfrom credentials file
Related
- fix(client): For ADC, send x-goog-user-project header #215 — Added
get_quota_project()andx-goog-user-projectsupport - fix(client): Move x-goog-user-project header to API requests only #242 — Moved the header to API requests only
- google-auth-library-python PR #1163 — Added
GOOGLE_CLOUD_QUOTA_PROJECTsupport - Google docs: Set the quota project