Now that GoogleCloudPlatform/alloydb-go-connector#432 has been merged, we should add a login-token flag so clients may distinguish between credentials used for API interaction and for IAM authentication.
Cloud SQL added a similar flag a few years ago that did something similar. See GoogleCloudPlatform/cloud-sql-proxy#1637 for details.
AlloyDB's implementation doesn't need to be as strict because we always transmit the OAuth2 token over a secure channel. Cloud SQL by comparison embeds the token in the client certificate which requires special handling (e.g., TLS 1.3 to avoid sending the client cert over an unencrypted connection).
Now that GoogleCloudPlatform/alloydb-go-connector#432 has been merged, we should add a login-token flag so clients may distinguish between credentials used for API interaction and for IAM authentication.
Cloud SQL added a similar flag a few years ago that did something similar. See GoogleCloudPlatform/cloud-sql-proxy#1637 for details.
AlloyDB's implementation doesn't need to be as strict because we always transmit the OAuth2 token over a secure channel. Cloud SQL by comparison embeds the token in the client certificate which requires special handling (e.g., TLS 1.3 to avoid sending the client cert over an unencrypted connection).