Support domain-wide delegation without downloaded service account keys #1064
Description
Problem Summary
Currently we create delegated credentials using downloaded ServiceAccount keys.
We learned that the python auth library supports using the Application Default Credential (ADC)
to generate delegated credentials, thus avoiding private key downloads which is a security risk.
The java library apparently does not support this feature.
Use Case Details
We have a service account S, that has domain-wide delegation permission our our domain as user U.
We have downloaded a ServiceAccount key for S, and use it to create delegated credentials:
GoogleCredentials.fromStream(text-fetched-from-db)
.createDelegated("user-U@our-domain.co")
.createScoped(...);
The python library shows that it is possible to use the ADC to generate a credential for S. A detailed example
can be found here. If this is supported in the java library, presumably the new code would look like below.
The only requirement is for the ADC to have token creator permission on service account S.
SomeCredentials.newBuilder()
.setSigner(GoogleCredentials.getApplicationDefault())
.setIssuer(service-account-S-email)
.createDelegated(user-U@our-domain.co)
.createScoped(...);
Edited on Oct 24: I was wrong saying it is possible to "use the ADC to generate a credential for S". What can be done is
as follows:
- Domain-wide delegation needs to be granted to the ADC, we can no longer use the service account S.
- The above being done, we can use the ADC to sign an access token for itself. We verified that this doable with AppEngine and Java using a hacked version of ServiceAccountCredentials.java