googleapis · bshaffer · Sep 29, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
@@ -93,30 +93,30 @@ $video = new VideoIntelligenceServiceClient([
 ```
 
 #### Note:
-Some clients accept the `keyFilePath` and `keyFile` configuration options pointing to the credentials file:
+Some clients accept the `keyFilePath` and `keyFile` configuration options pointing to the credentials
+file. However, both of these options are deprecated in favor of using the `credentialsFetcher`
+option or
+[Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials).
 
 ```php
-use Google\Cloud\Storage\StorageClient;
+require 'vendor/autoload.php';
 
-// Authenticate using a keyfile path
-$cloud = new StorageClient([
-    'keyFilePath' => 'path/to/keyfile.json'
-]);
+use Google\Cloud\Storage\StorageClient;
+use Google\Auth\Credentials\ServiceAccountCredentials;
 
-// Authenticate using keyfile data
-$cloud = new StorageClient([
-    'keyFile' => json_decode(file_get_contents('/path/to/keyfile.json'), true)
+// Create the service account credentials and pass them in using the "credentialsFile" option
+$keyFile = json_decode(file_get_contents('/path/to/keyfile.json'), true);
+$storage = new StorageClient([
+    'credentialsFetcher' => new ServiceAccountCredentials($scopes, $keyFile),
 ]);
 ```
 A list of clients that accept these parameters are:
-- [Bigtable](https://github.com/googleapis/google-cloud-php-bigtable)
-- [Spanner](https://github.com/googleapis/google-cloud-php-spanner)
-- [Firestore](https://github.com/googleapis/google-cloud-php-firestore)
+
+- [BigQuery](https://github.com/googleapis/google-cloud-php-bigquery)
 - [Datastore](https://github.com/googleapis/google-cloud-php-datastore)
-- [Pubsub](https://github.com/googleapis/google-cloud-php-pubsub)
+- [Firestore](https://github.com/googleapis/google-cloud-php-firestore)
 - [Logging](https://github.com/googleapis/google-cloud-php-logging)
-- [Translate](https://github.com/googleapis/google-cloud-php-translate)
-- [Bigquery](https://github.com/googleapis/google-cloud-php-bigquery)
+- [Spanner](https://github.com/googleapis/google-cloud-php-spanner)
 - [Storage](https://github.com/googleapis/google-cloud-php-storage)
 
 We recommend to visit the Check the [client documentation][php-ref-docs] for the client library you're using

@@ -93,12 +93,50 @@ class BigQueryClient
      *           fetcher instance.
      *     @type callable $httpHandler A handler used to deliver Psr7 requests.
      *           Only valid for requests sent over REST.
-     *     @type array $keyFile The contents of the service account credentials
-     *           .json file retrieved from the Google Developer's Console.
-     *           Ex: `json_decode(file_get_contents($path), true)`.
-     *     @type string $keyFilePath The full path to your service account
-     *           credentials .json file retrieved from the Google Developers
-     *           Console.
+     *     @type array $keyFile [DEPRECATED]
+     *           @deprecated This option is being deprecated because of a potential security risk.
+     *           This option does not validate the credential configuration. The security
+     *           risk occurs when a credential configuration is accepted from a source
+     *           that is not under your control and used without validation on your side.
+     *           If you know that you will be loading credential configurations of a
+     *           specific type, it is recommended to create the credentials directly and
+     *           configure them using the `credentialsFetcher` option instead.
+     *           ```
+     *           use Google\Auth\Credentials\ServiceAccountCredentials;
+     *           $credentialsFetcher = new ServiceAccountCredentials($scopes, $json);
+     *           $creds = new BigQueryClient(['credentialsFetcher' => $creds]);
+     *           ```
+     *           This will ensure that an unexpected credential type with potential for
+     *           malicious intent is not loaded unintentionally. You might still have to do
+     *           validation for certain credential types.
+     *           If you are loading your credential configuration from an untrusted source and have
+     *           not mitigated the risks (e.g. by validating the configuration yourself), make
+     *           these changes as soon as possible to prevent security risks to your environment.
+     *           Regardless of the method used, it is always your responsibility to validate
+     *           configurations received from external sources.
+     *           @see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+    *     @type string $keyFilePath [DEPRECATED]
+     *           @deprecated This option is being deprecated because of a potential security risk.
+     *           This option does not validate the credential configuration. The security
+     *           risk occurs when a credential configuration is accepted from a source
+     *           that is not under your control and used without validation on your side.
+     *           If you know that you will be loading credential configurations of a
+     *           specific type, it is recommended to create the credentials directly and
+     *           configure them using the `credentialsFetcher` option instead.
+     *           ```
+     *           use Google\Auth\Credentials\ServiceAccountCredentials;
+     *           $credentialsFetcher = new ServiceAccountCredentials($scopes, $json);
+     *           $creds = new BigQueryClient(['credentialsFetcher' => $creds]);
+     *           ```
+     *           This will ensure that an unexpected credential type with potential for
+     *           malicious intent is not loaded unintentionally. You might still have to do
+     *           validation for certain credential types.
+     *           If you are loading your credential configuration from an untrusted source and have
+     *           not mitigated the risks (e.g. by validating the configuration yourself), make
+     *           these changes as soon as possible to prevent security risks to your environment.
+     *           Regardless of the method used, it is always your responsibility to validate
+     *           configurations received from external sources.
+     *           @see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
      *     @type float $requestTimeout Seconds to wait before timing out the
      *           request. **Defaults to** `0` with REST and `60` with gRPC.
      *     @type int $retries Number of retries for a failed request. **Defaults

@@ -91,15 +91,23 @@ class BigtableClient
      *     @type string $apiEndpoint The address of the API remote host. May
      *           optionally include the port, formatted as "<uri>:<port>".
      *           **Defaults to** 'bigtable.googleapis.com:443'.
-     *     @type string|array|FetchAuthTokenInterface|CredentialsWrapper $credentials
-     *           The credentials to be used by the client to authorize API calls.
-     *           This option accepts either a path to a credentials file, or a
-     *           decoded credentials file as a PHP array.
-     *           *Advanced usage*: In addition, this option can also accept a
-     *           pre-constructed {@see FetchAuthTokenInterface} object
-     *           or {@see CredentialsWrapper} object. Note that when one of
-     *           these objects are provided, any settings in
-     *           `$config['credentialsConfig']` will be ignored.
+     *     @type FetchAuthTokenInterface|CredentialsWrapper $credentials
+     *           This option should only be used with a pre-constructed
+     *           {@see FetchAuthTokenInterface} or {@see CredentialsWrapper} object. Note that
+     *           when one of these objects are provided, any settings in $credentialsConfig will
+     *           be ignored.
+     *           **Important**: If you are providing a path to a credentials file, or a decoded
+     *           credentials file as a PHP array, this usage is now DEPRECATED. Providing an
+     *           unvalidated credential configuration to Google APIs can compromise the security
+     *           of your systems and data. It is recommended to create the credentials explicitly
+     *           ```
+     *           use Google\Auth\Credentials\ServiceAccountCredentials;
+     *           use Google\Cloud\Bigtable\BigtableClient;
+     *           $creds = new ServiceAccountCredentials($scopes, $json);
+     *           $options = new BigtableClient(['credentials' => $creds]);
+     *           ```
+     *           {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig Options used to configure credentials,
      *           including auth token caching, for the client. For a full list of
      *           supporting configuration options, see {@see CredentialsWrapper}.

@@ -84,9 +84,7 @@ trait RequestWrapperTrait
      *     @type array $authCacheOptions Cache configuration options.
      *     @type FetchAuthTokenInterface $credentialsFetcher A credentials
      *           fetcher instance.
-     *     @type array $keyFile The contents of the service account credentials
-     *           .json file retrieved from the Google Developer's Console.
-     *           Ex: `json_decode(file_get_contents($path), true)`.
+     *     @type array $keyFile [DEPRECATED] use `credentialsFetcher` option.
      *     @type float $requestTimeout Seconds to wait before timing out the
      *           request. **Defaults to** `0` with REST and `60` with gRPC.
      *     @type int $retries Number of retries for a failed request.

@@ -88,12 +88,8 @@ class ServiceBuilder
      *           requests specifically for authentication.
      *     @type callable $httpHandler A handler used to deliver Psr7 requests.
      *           Only valid for requests sent over REST.
-     *     @type array $keyFile The contents of the service account credentials
-     *           .json file retrieved from the Google Developer's Console.
-     *           Ex: `json_decode(file_get_contents($path), true)`.
-     *     @type string $keyFilePath The full path to your service account
-     *           credentials .json file retrieved from the Google Developers
-     *           Console.
+     *     @type array $keyFile [DEPRECATED]
+     *     @type string $keyFilePath [DEPRECATED]
      *     @type int $retries Number of retries for a failed request.
      *           **Defaults to** `3`.
      *     @type array $scopes Scopes to be used for the request.

@@ -130,12 +130,50 @@ class DatastoreClient
      *           fetcher instance.
      *     @type callable $httpHandler A handler used to deliver Psr7 requests.
      *           Only valid for requests sent over REST.
-     *     @type array $keyFile The contents of the service account credentials
-     *           .json file retrieved from the Google Developer's Console.
-     *           Ex: `json_decode(file_get_contents($path), true)`.
-     *     @type string $keyFilePath The full path to your service account
-     *           credentials .json file retrieved from the Google Developers
-     *           Console.
+     *     @type array $keyFile [DEPRECATED]
+     *           @deprecated This option is being deprecated because of a potential security risk.
+     *           This option does not validate the credential configuration. The security
+     *           risk occurs when a credential configuration is accepted from a source
+     *           that is not under your control and used without validation on your side.
+     *           If you know that you will be loading credential configurations of a
+     *           specific type, it is recommended to create the credentials directly and
+     *           configure them using the `credentialsFetcher` option instead.
+     *           ```
+     *           use Google\Auth\Credentials\ServiceAccountCredentials;
+     *           $credentialsFetcher = new ServiceAccountCredentials($scopes, $json);
+     *           $creds = new DatastoreClient(['credentialsFetcher' => $creds]);
+     *           ```
+     *           This will ensure that an unexpected credential type with potential for
+     *           malicious intent is not loaded unintentionally. You might still have to do
+     *           validation for certain credential types.
+     *           If you are loading your credential configuration from an untrusted source and have
+     *           not mitigated the risks (e.g. by validating the configuration yourself), make
+     *           these changes as soon as possible to prevent security risks to your environment.
+     *           Regardless of the method used, it is always your responsibility to validate
+     *           configurations received from external sources.
+     *           @see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+    *     @type string $keyFilePath [DEPRECATED]
+     *           @deprecated This option is being deprecated because of a potential security risk.
+     *           This option does not validate the credential configuration. The security
+     *           risk occurs when a credential configuration is accepted from a source
+     *           that is not under your control and used without validation on your side.
+     *           If you know that you will be loading credential configurations of a
+     *           specific type, it is recommended to create the credentials directly and
+     *           configure them using the `credentialsFetcher` option instead.
+     *           ```
+     *           use Google\Auth\Credentials\ServiceAccountCredentials;
+     *           $credentialsFetcher = new ServiceAccountCredentials($scopes, $json);
+     *           $creds = new DatastoreClient(['credentialsFetcher' => $creds]);
+     *           ```
+     *           This will ensure that an unexpected credential type with potential for
+     *           malicious intent is not loaded unintentionally. You might still have to do
+     *           validation for certain credential types.
+     *           If you are loading your credential configuration from an untrusted source and have
+     *           not mitigated the risks (e.g. by validating the configuration yourself), make
+     *           these changes as soon as possible to prevent security risks to your environment.
+     *           Regardless of the method used, it is always your responsibility to validate
+     *           configurations received from external sources.
+     *           @see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
      *     @type float $requestTimeout Seconds to wait before timing out the
      *           request. **Defaults to** `0` with REST and `60` with gRPC.
      *     @type int $retries Number of retries for a failed request. **Defaults