You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi there, the "--impersonate-service-account" option only supports a very specific scenario, which is to exchange user creds with service account creds, so the input creds must be user creds (ex. client-id json, or gcloud refresh token) with implicit type "oauth". At the same time, the "--type jwt" option expects the input creds to be service account creds, and generates a self-signed jwt based off of that (and returns the error you see if the input is incompatible). These two options are mutually exclusive.
I'm not familiar with impersonating IDTokenSource (and have not worked in this space for a while). Feel free to make a proposal on how this might be supported in the oauth2l tool (with input/output examples), and the maintainers can see if support could be added.
I'm trying something similar to:
And I see the following error:
It seems like no impersonated credentials are used in the JWT code path.
What I would like is the impersonated identity token (Patching JWTTokenSource with https://pkg.go.dev/google.golang.org/api/impersonate#IDTokenSource seems to give me what I'm looking for)
The text was updated successfully, but these errors were encountered: