Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Allow UserRefreshCredentials in IAMCredentialsService sign_service_account_jwt #738

Open
ianjhuang opened this issue Nov 8, 2018 · 0 comments
Open

[Bug] Allow UserRefreshCredentials in IAMCredentialsService sign_service_account_jwt #738

ianjhuang opened this issue Nov 8, 2018 · 0 comments
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@ianjhuang
Copy link

Is your feature request related to a problem? Please describe.

The gcloud cli allows signing a JWT token on behalf of a service account using user credentials. The Ruby library does not. The following code results in the error below:

service = Google::Apis::IamcredentialsV1::IAMCredentialsService.new
service.authorization = Google::Auth.get_application_default(['https://www.googleapis.com/auth/cloud-platform']) # Default credentials (UserRefreshCredentials) from https://github.com/googleapis/google-auth-library-ruby

req = Google::Apis::IamcredentialsV1::SignJwtRequest.new
req.payload = {
  :aud => '<my audience>',
  :sub => '<my_subject>',
  :exp => (Time.new + 600).to_i
}.to_json

resp = service.sign_service_account_jwt('projects/-/<my service account>', req)

Results in:
/.../.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/google-api-client-0.25.0/lib/google/apis/core/http_command.rb:228:in 'check_status': accessNotConfigured: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the iamcredentials.googleapis.com. We recommend that most server applications use service accounts instead. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. (Google::Apis::ClientError)

Describe the solution you'd like
The library should be able to sign a JWT token successfully. The expected behavior should match the gcloud cli (ran locally):

$ gcloud beta iam service-accounts sign-jwt login_request.json signed_jwt.json --iam-account=<my service account>
signed jwt [login_request.json] as [signed_jwt.json] for [<my service account>] using key [<scrubbed key>]

Describe alternatives you've considered
The alternative is to download a json key of a GCP service account with access token signing permissions. However, then the code needs be aware of that json key, and it is a hassle to pass it around to other devs, and makes setup more difficult.

System Info

  • Ruby 2.5.1
  • googleauth (0.6.6)
  • google-api-client (0.25.0)
@JustinBeckwith JustinBeckwith added triage me I really want to be triaged. 🚨 This issue needs some love. labels Nov 9, 2018
@TheRoyalTnetennba TheRoyalTnetennba added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Dec 4, 2018
@JustinBeckwith JustinBeckwith removed 🚨 This issue needs some love. triage me I really want to be triaged. labels Dec 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JustinBeckwith @TheRoyalTnetennba @ianjhuang