Skip to content

Auth: RAB lookup should be skipped in DwD flows #17703

Description

@nbayati

Determine this is the right repository

  • I determined this is the correct repository in which to report this bug.

Summary of the issue

When using Domain-wide Delegation (DwD) by specifying a subject in google.oauth2.service_account.Credentials, the SDK requests an access token that represents a Workspace User Account.

However, the Regional Access Boundary (RAB) logic in the SDK assumes the credential still represents a Service Account. When the token is minted, the SDK automatically attempts to fetch the allowedLocations for the underlying Service Account using the newly acquired User access token.

Because the impersonated Workspace User does not have IAM permissions to view the Service Account's allowedLocations, this triggers a 403 Forbidden from iamcredentials.mtls.googleapis.com.

Since RAB policies apply to Service Accounts and not User Accounts, the SDK should skip the RAB lookup entirely when subject is populated.

Affected Classes:
This bug affects all three credential classes that support the subject parameter:

  • google.oauth2.service_account.Credentials
  • google.auth.impersonated_credentials.Credentials
  • google.auth.jwt.Credentials

Expected Behavior:
The _build_regional_access_boundary_lookup_url() method in these classes should return None if self._subject (or getattr(self, "_subject", None)) is set, thereby bypassing the RAB lookup for User tokens.

Was first reported in b/532587921

Metadata

Metadata

Assignees

Labels

type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions