Description
Google cloud storage has 2 ways to authenticate: by detection of the cloud environment, or by a plaintext file containing credential information. Support for credential file is being added to the elasticsearch keystore, but the way in which the cloud environment is loaded is problematic for completely disallowing the plaintext credential file. The google code to load the default credentials first looks for an environment variable which points to the file, and then looks in "known locations", before trying to do detection of the cloud environment.
We should do just as we did with s3 and not allow using a plaintext file. One idea is to look for the environment variable and known locations, and error up front. The tricky part about this is it would require adding security permissions just to check if the env var or files exist. Another idea is to leave it as it is currently, which would both fail, due to lack of security permissions to read the env var or the file locations (in the user home directory). At minimum, we should document that this is not supported.