From 9971411cd5ca5dc9e667efd1221d7940f4d77c23 Mon Sep 17 00:00:00 2001
From: Joao Daher <joao@daher.dev>
Date: Thu, 2 May 2024 08:34:20 -0300
Subject: [PATCH] fix: validate email absence when generating id token

---
 gcp_pilot/iam.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/gcp_pilot/iam.py b/gcp_pilot/iam.py
index fb30ae5..391ff05 100644
--- a/gcp_pilot/iam.py
+++ b/gcp_pilot/iam.py
@@ -212,9 +212,15 @@ def encode_jwt(self, payload: dict, service_account_email: str | None) -> str:
 
     @friendly_http_error
     def generate_id_token(self, audience: str, service_account_email: str | None = None) -> str:
+        email = service_account_email or self.service_account_email
+        if not email:
+            raise ValueError(
+                "You must either provide service_account_email or set GCP_SERVICE_ACCOUNT for impersonation."
+            )
+
         response = self.client.generate_id_token(
             name=self.client.service_account_path(
-                service_account=service_account_email or self.service_account_email,
+                service_account=email,
                 project="-",
             ),
             audience=audience,