Determine this is the right repository
Summary of the issue
When using Domain-wide Delegation (DwD) by specifying a subject in google.oauth2.service_account.Credentials, the SDK requests an access token that represents a Workspace User Account.
However, the Regional Access Boundary (RAB) logic in the SDK assumes the credential still represents a Service Account. When the token is minted, the SDK automatically attempts to fetch the allowedLocations for the underlying Service Account using the newly acquired User access token.
Because the impersonated Workspace User does not have IAM permissions to view the Service Account's allowedLocations, this triggers a 403 Forbidden from iamcredentials.mtls.googleapis.com.
Since RAB policies apply to Service Accounts and not User Accounts, the SDK should skip the RAB lookup entirely when subject is populated.
Affected Classes:
This bug affects all three credential classes that support the subject parameter:
google.oauth2.service_account.Credentials
google.auth.impersonated_credentials.Credentials
google.auth.jwt.Credentials
Expected Behavior:
The _build_regional_access_boundary_lookup_url() method in these classes should return None if self._subject (or getattr(self, "_subject", None)) is set, thereby bypassing the RAB lookup for User tokens.
Was first reported in b/532587921
Determine this is the right repository
Summary of the issue
When using Domain-wide Delegation (DwD) by specifying a
subjectingoogle.oauth2.service_account.Credentials, the SDK requests an access token that represents a Workspace User Account.However, the Regional Access Boundary (RAB) logic in the SDK assumes the credential still represents a Service Account. When the token is minted, the SDK automatically attempts to fetch the
allowedLocationsfor the underlying Service Account using the newly acquired User access token.Because the impersonated Workspace User does not have IAM permissions to view the Service Account's
allowedLocations, this triggers a403 Forbiddenfromiamcredentials.mtls.googleapis.com.Since RAB policies apply to Service Accounts and not User Accounts, the SDK should skip the RAB lookup entirely when
subjectis populated.Affected Classes:
This bug affects all three credential classes that support the
subjectparameter:google.oauth2.service_account.Credentialsgoogle.auth.impersonated_credentials.Credentialsgoogle.auth.jwt.CredentialsExpected Behavior:
The
_build_regional_access_boundary_lookup_url()method in these classes should returnNoneifself._subject(orgetattr(self, "_subject", None)) is set, thereby bypassing the RAB lookup for User tokens.Was first reported in b/532587921