Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

impersonate service account and type jwt does not seem to work well together #165

Open
mzeo opened this issue Mar 4, 2024 · 1 comment

Comments

@mzeo
Copy link

mzeo commented Mar 4, 2024

I'm trying something similar to:

oauth2l fetch --refresh --impersonate-service-account='[email protected]' --type jwt --audience="https://google.com"

And I see the following error:

google: could not parse JSON key: google: read JWT from JSON credentials: 'type' field is "authorized_user" (expected "service_account")

It seems like no impersonated credentials are used in the JWT code path.

What I would like is the impersonated identity token (Patching JWTTokenSource with https://pkg.go.dev/google.golang.org/api/impersonate#IDTokenSource seems to give me what I'm looking for)

@andyrzhao
Copy link
Collaborator

Hi there, the "--impersonate-service-account" option only supports a very specific scenario, which is to exchange user creds with service account creds, so the input creds must be user creds (ex. client-id json, or gcloud refresh token) with implicit type "oauth". At the same time, the "--type jwt" option expects the input creds to be service account creds, and generates a self-signed jwt based off of that (and returns the error you see if the input is incompatible). These two options are mutually exclusive.

I'm not familiar with impersonating IDTokenSource (and have not worked in this space for a while). Feel free to make a proposal on how this might be supported in the oauth2l tool (with input/output examples), and the maintainers can see if support could be added.

Cheers~

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants