Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Native service account integration when running on GCP #670

Closed
iamacarpet opened this issue Jul 6, 2020 · 4 comments
Closed

Native service account integration when running on GCP #670

iamacarpet opened this issue Jul 6, 2020 · 4 comments
Assignees
@thangduo
Labels
P2

Comments

@iamacarpet
Copy link

We had a requirement to use the AdWords API from an application running on App Engine, but all the authentication methods described in the library require either manually generating a client ID and a refresh token for a user, or using DWD, but the latter is only supported with a JSON key file.

This kind of goes against the grain with the convention on GCP of using credentials provided by the environment, in the form of the default service account, accessible from the metadata server with additional signing capability via the Service Account Credentials API.

I've also posted an issue in the underlying authentication library, as this seems to be related to a lack of functionality there, restricting what is available in this and other libraries: googleapis/google-auth-library-php#287

We have already implemented our own method of doing this, but it would be nice to provide an official method:

In our library for running Laravel 5.5 on App Engine, we have this new class:

https://github.com/a1comms/GaeSupportLaravel/blob/php72-laravel55/src/A1comms/GaeSupportLaravel/Integration/JWT/TokenSource/DWDTokenSource.php

Which turns this example code using credentials stored in the ini file:

use Google\AdsApi\Common\OAuth2TokenBuilder;

...

    protected function __getAdWordsClient()
    {
        $oAuth2Credential = (new OAuth2TokenBuilder())->fromFile(__DIR__ . '/adsapi_php.ini')->build();
        return (new AdWordsSessionBuilder())->fromFile(__DIR__ . '/adsapi_php.ini')->withOAuth2Credential($oAuth2Credential)->build();
    }

...

into this, which requires no deployed credentials (inc. JSON key files), only the email of the user you'd like to impersonate:

use A1comms\GaeSupportLaravel\Integration\JWT\TokenSource\DWDTokenSource;

...

    protected function __getAdWordsClient()
    {
        $oAuth2Credential = new DWDTokenSource(env('ADWORDS_USER_EMAIL'), ['https://www.googleapis.com/auth/adwords']);
        return (new AdWordsSessionBuilder())->fromFile(__DIR__ . '/adsapi_php.ini')->withOAuth2Credential($oAuth2Credential)->build();
    }

...
@fiboknacky
Copy link
Member

Hello,

Sorry, I don't quite get your requirements fully yet, so could you clarify a bit?
What would you want to achieve? Using JSON key file with this library? Or setting credential information programmatically?

Best,
Knack

@iamacarpet
Copy link
Author

Hello @fiboknacky ,

What would you want to achieve?
Using JSON key file with this library?

The same results as using a JSON key file (the Domain Wide Delegation method), but without having to use an actual JSON key file.

When running on Google Cloud Platform, access to service accounts is provided to the application by the metadata server: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#applications

This is provided by GCECredentials in google-auth-php, but by itself doesn't support impersonation/DWD the same as when using the JSON key file: however, we can get the same functionality by using the Service Account Credentials API to sign the JWT, without actually holding the private key (usually in the JSON key file), meaning the application doesn't need to hold the full set of credentials and instead can detect and use them automatically from the environment.

In our working example (we've got it running on App Engine at the moment), DWDTokenSource implements FetchTokenInterface to be consumed by this AdWords API library by extending OAuth2 and switching the toJwt method for one that signs via the Service Account Credentials API using IAMSigner and the lcobucci/jwt library.

In my code example above, the ini file no longer contains the credentials - it only contains the developerToken.

For you to support this, I think it would require some changes in the underlying google-auth-php library first.

@fiboknacky
Copy link
Member

I see and agree that the change in google/auth is needed first.
Could you follow with the owners of that library first and come back to this issue again?

@thangduo thangduo added the P2 label Sep 25, 2020
@thangduo thangduo self-assigned this Sep 25, 2020
@thangduo
Copy link
Contributor

Closing this issue due to no activity. Please feel free to reopen with new information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thangduo thangduo

Labels
P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@iamacarpet @fiboknacky @thangduo