Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Domain Wide Delegation tokens without a key file on GCP #287

Open
iamacarpet opened this issue Jul 6, 2020 · 1 comment
Open

Domain Wide Delegation tokens without a key file on GCP #287

iamacarpet opened this issue Jul 6, 2020 · 1 comment
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@iamacarpet
Copy link

Is your feature request related to a problem? Please describe.
We had a requirement to use the AdWords API from an application running on App Engine, but all the authentication methods described in the library require either manually generating a client ID and a refresh token for a user, or using DWD, but the latter is only supported with a JSON key file.

This kind of goes against the grain with the convention on GCP of using credentials provided by the environment, in the form of the default service account, accessible from the metadata server with additional signing capability via the Service Account Credentials API.

Looking at this library, which is what AdWords is using for the underlying authentication (and we are also using in a lot of other places, with being on App Engine & GCP, namely the google-cloud-php library), it seems they couldn't implement it any other way, as there is a lack of functionality for doing DWD with the GCECredentials provider.

Describe the solution you'd like
The ability to use the GCECredentials class for DWD tokens, using the metadata server provided service account.

This would be useful from not just App Engine, but also Cloud Run, Cloud Functions, GKE with Workload Identity & GCE.

It would mean not needing to deploy credentials along with our applications, which regardless of KMS encryption for Cloud Build, still isn't an ideal solution.

Describe alternatives you've considered
We've already implemented our own version of this, by extending the OAuth2 class in this library, see here.

It would be nice to get something integrated & supported natively in this library.

@yoshi-automation yoshi-automation added triage me I really want to be triaged. 🚨 This issue needs some love. labels Jul 7, 2020
@danoscarmike danoscarmike added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. and removed 🚨 This issue needs some love. triage me I really want to be triaged. labels Jul 17, 2020
@nchicong
Copy link

nchicong commented Jul 8, 2021

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Development

No branches or pull requests

4 participants