Update dependencies

vendor/cloud.google.com/go/auth/grpctransport/directpath.go

@@ -20,14 +20,18 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"time"
 
 	"cloud.google.com/go/auth"
 	"cloud.google.com/go/auth/credentials"
 	"cloud.google.com/go/auth/internal/compute"
+	"golang.org/x/time/rate"
 	"google.golang.org/grpc"
 	grpcgoogle "google.golang.org/grpc/credentials/google"
 )
 
+var logRateLimiter = rate.Sometimes{Interval: 1 * time.Second}
+
 func isDirectPathEnabled(endpoint string, opts *Options) bool {
 	if opts.InternalOptions != nil && !opts.InternalOptions.EnableDirectPath {
 		return false
@@ -111,14 +115,16 @@ func isDirectPathBoundTokenEnabled(opts *InternalOptions) bool {
 // configuration allows the use of direct path. If it does not the provided
 // grpcOpts and endpoint are returned.
 func configureDirectPath(grpcOpts []grpc.DialOption, opts *Options, endpoint string, creds *auth.Credentials) ([]grpc.DialOption, string, error) {
+	logRateLimiter.Do(func() {
+		logDirectPathMisconfig(endpoint, creds, opts)
+	})
 	if isDirectPathEnabled(endpoint, opts) && compute.OnComputeEngine() && isTokenProviderDirectPathCompatible(creds, opts) {
 		// Overwrite all of the previously specific DialOptions, DirectPath uses its own set of credentials and certificates.
 		defaultCredetialsOptions := grpcgoogle.DefaultCredentialsOptions{PerRPCCreds: &grpcCredentialsProvider{creds: creds}}
 		if isDirectPathBoundTokenEnabled(opts.InternalOptions) && isTokenProviderComputeEngine(creds) {
-			opts.DetectOpts.TokenBindingType = credentials.ALTSHardBinding
-			altsCreds, err := credentials.DetectDefault(opts.resolveDetectOptions())
-			// Revert it back since the same opts will be used in subsequent dial() calls.
-			opts.DetectOpts.TokenBindingType = credentials.NoBinding
+			optsClone := opts.resolveDetectOptions()
+			optsClone.TokenBindingType = credentials.ALTSHardBinding
+			altsCreds, err := credentials.DetectDefault(optsClone)
 			if err != nil {
 				return nil, "", err
 			}
@@ -152,3 +158,20 @@ func configureDirectPath(grpcOpts []grpc.DialOption, opts *Options, endpoint str
 	}
 	return grpcOpts, endpoint, nil
 }
+
+func logDirectPathMisconfig(endpoint string, creds *auth.Credentials, o *Options) {
+
+	// Case 1: does not enable DirectPath
+	if !isDirectPathEnabled(endpoint, o) {
+		o.logger().Warn("DirectPath is disabled. To enable, please set the EnableDirectPath option along with the EnableDirectPathXds option.")
+	} else {
+		// Case 2: credential is not correctly set
+		if !isTokenProviderDirectPathCompatible(creds, o) {
+			o.logger().Warn("DirectPath is disabled. Please make sure the token source is fetched from GCE metadata server and the default service account is used.")
+		}
+		// Case 3: not running on GCE
+		if !compute.OnComputeEngine() {
+			o.logger().Warn("DirectPath is disabled. DirectPath is only available in a GCE environment.")
+		}
+	}
+}

vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go

@@ -304,17 +304,18 @@ func dial(ctx context.Context, secure bool, opts *Options) (*grpc.ClientConn, er
 			// This condition is only met for non-DirectPath clients because
 			// TransportTypeMTLSS2A is used only when InternalOptions.EnableDirectPath
 			// is false.
+			optsClone := opts.resolveDetectOptions()
 			if transportCreds.TransportType == transport.TransportTypeMTLSS2A {
 				// Check that the client allows requesting hard-bound token for the transport type mTLS using S2A.
 				for _, ev := range opts.InternalOptions.AllowHardBoundTokens {
 					if ev == "MTLS_S2A" {
-						opts.DetectOpts.TokenBindingType = credentials.MTLSHardBinding
+						optsClone.TokenBindingType = credentials.MTLSHardBinding
 						break
 					}
 				}
 			}
 			var err error
-			creds, err = credentials.DetectDefault(opts.resolveDetectOptions())
+			creds, err = credentials.DetectDefault(optsClone)
 			if err != nil {
 				return nil, err
 			}