-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ADC Service Impersonation missing client_id #212
Comments
can you try just placing the |
@dermesser It would be really great if you can provide a fully working example from A to Z, so the good way to do it. Reproduce :
gcloud auth application-default login --impersonate-service-account calendar@homelab-422502.iam.gserviceaccount.com Result should looks like that : {
"delegates": [],
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/calendar@homelab-422502.iam.gserviceaccount.com:generateAccessToken",
"source_credentials": {
"account": "",
"client_id": "<>.apps.googleusercontent.com",
"client_secret": "<>",
"refresh_token": "<>",
"type": "authorized_user",
"universe_domain": "googleapis.com"
},
"type": "impersonated_service_account"
} Code :let user_secret =
read_authorized_user_secret("private/service-account-credentials.json").await?;
let email = "calendar@homelab-422502.iam.gserviceaccount.com";
info!("User secret: {:?}", user_secret);
let auth = ServiceAccountImpersonationAuthenticator::builder(user_secret.clone(), email)
.build()
.await
.expect("authenticator");
let scopes = &["https://www.googleapis.com/auth/calendar"];
let token = match auth.token(scopes).await {
Ok(token) => token,
Err(e) => {
error!("Failed to authenticate: {:?}", e);
process::exit(1);
}
};
info!("Token: {:?}", token);
let hub = CalendarHub::new(
hyper::Client::builder().build(
hyper_rustls::HttpsConnectorBuilder::new()
.with_native_roots()
.https_only()
.enable_http2()
.build(),
),
auth,
);
let calendar = hub.calendar_list().list().doit().await?;
info!("Calendar ID: {:?}", calendar.1); Tried following your comment about {
"account": "",
"client_id": "<>.apps.googleusercontent.com",
"client_secret": "<Redacted>",
"refresh_token": "<Redacted>",
"type": "authorized_user", // also tried with impersonated_service_account
"universe_domain": "googleapis.com"
} |
Seems similar to firebase/firebase-admin-node#1861 like ImpersonatedServiceAccount type needs implemented. Otherwise seems similar to AuthorizedUserAuthenticator |
I finally found a workaround. First go to your service account in GCP and under permissions click grant access Add your personal user account as a principal to the service account with the service token creator role: Wait a few minutes. And then you can do this:
And in rust use those crediantials while impersonating by this:
|
Executing:
With the code:
Results in:
This is unexpected, as the client_id value is present
this service_account_impersonation example also fails with this credential but with the error:
At the time of use instead.
This is important as this gcloud command is the recommended way to do local development without code changes. A user is expected to impersonate as a service account and the application will then behave as if it is live in production actually using said service account.
The text was updated successfully, but these errors were encountered: