Summary
When debugging clickhousectl cloud behavior, it is hard to tell which credential source actually won precedence.
Today credentials can come from:
--api-key / --api-secret- project-local
.clickhouse/credentials.json
CLICKHOUSE_CLOUD_API_KEY / CLICKHOUSE_CLOUD_API_SECRET- oauth
A small debug feature to show the resolved auth source would make problems much easier to diagnose.
Why this would help
A command can appear to be using env vars, but actually be reading a project-local credentials file instead. That makes auth failures and environment mismatches hard to understand.
Suggested approaches
Add a --debug flag which outputs debug info into the command output. For now, this only includes this auth detail, but we can use it for other stuff later.
The important part is that the CLI reports the actual winning source after precedence is applied, rather than leaving callers to infer it. Also, it must work with and without json out.
Summary
When debugging
clickhousectl cloudbehavior, it is hard to tell which credential source actually won precedence.Today credentials can come from:
--api-key/--api-secret.clickhouse/credentials.jsonCLICKHOUSE_CLOUD_API_KEY/CLICKHOUSE_CLOUD_API_SECRETA small debug feature to show the resolved auth source would make problems much easier to diagnose.
Why this would help
A command can appear to be using env vars, but actually be reading a project-local credentials file instead. That makes auth failures and environment mismatches hard to understand.
Suggested approaches
Add a --debug flag which outputs debug info into the command output. For now, this only includes this auth detail, but we can use it for other stuff later.
The important part is that the CLI reports the actual winning source after precedence is applied, rather than leaving callers to infer it. Also, it must work with and without json out.