Support for impersonated_service_account type keys

[laszlocph]

Is your feature request related to a problem? Please describe.
I'm trying to provide a scalable way for our developers to run their apps locally and be able to access buckets through a service account.

So far they used a shared service account key locally. The app loaded it and they were able to access the buckets.

I would prefer though to have personal keys instead, but would not want to distribute keys for each user.

Instead, I would like to use the already existing credentials of the gcloud tool.

There is a feature that allows users to impersonate a service account, but there identity would be logged during this impersonation:

gcloud auth application-default login \
--impersonate-service-account=<service account email>

Using this feature though, this lib throws an error

The file /Users/xxx/.config/gcloud/application_default_credentials.json does not have a valid type. Type is impersonated_service_account, expected one of ('authorized_user', 'service_account', 'external_account').

I would want this library to support this relatively new way of authenticating to Google APIs.

Describe the solution you'd like
The feature is implemented in Golang and JAVA libraries, as described in this blog post:
https://medium.com/google-cloud/run-your-app-locally-as-if-you-were-on-google-cloud-2722e33e5656

The Golang solution: golang/oauth2#516

Describe alternatives you've considered

• used a shared key
• make a service account for each user and distribute keys for them

Both are subpar in terms of security and involved workload compared to the proposed solution.

Additional context
none

[andrewsg]

Thank you for your report. Could I ask for a traceback of this issue? I think the relevant code will end up being in the google-auth library and the traceback will verify that. Feel free to redact anything in the traceback that is specific to your code, and feel free to alternatively email the traceback to [email protected] if you prefer.

[laszlocph]

The traceback

Traceback (most recent call last):
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/flask/app.py", line 2095, in __call__
    return self.wsgi_app(environ, start_response)
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/flask/app.py", line 2080, in wsgi_app
    response = self.handle_exception(e)
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/flask/app.py", line 2077, in wsgi_app
    response = self.full_dispatch_request()
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/flask/app.py", line 1525, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/flask/app.py", line 1523, in full_dispatch_request
    rv = self.dispatch_request()
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/flask/app.py", line 1509, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/functions_framework/__init__.py", line 99, in view_func
    return function(request._get_current_object())
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/functions_framework/__init__.py", line 80, in wrapper
    return func(*args, **kwargs)
  File "/Users/xx/Documents/yy/yy-functions-py/transform-video/main.py", line 23, in transform_video
    GCS_CLIENT = get_gcs_client()
  File "/Users/xx/Documents/yy/yy-functions-py/transform-video/gcsutil.py", line 52, in get_gcs_client
    GCS_CLIENT = storage.Client().from_service_account_json("/Users/xx/.config/gcloud/application_default_credentials.json")
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/google/cloud/client/__init__.py", line 109, in from_service_account_json
    return cls.from_service_account_info(credentials_info, *args, **kwargs)
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/google/cloud/client/__init__.py", line 76, in from_service_account_info
    credentials = service_account.Credentials.from_service_account_info(info)
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/google/oauth2/service_account.py", line 221, in from_service_account_info
    signer = _service_account_info.from_dict(
  File "/Users/xx/Library/Caches/pypoetry/virtualenvs/test-Wimedase-py3.10/lib/python3.10/site-packages/google/auth/_service_account_info.py", line 49, in from_dict
    raise ValueError(
ValueError: Service account info was not in the expected format, missing fields client_email, token_uri.

Dependencies:

functions-framework==3.0.0
google-cloud-storage==2.3.0
ffmpeg==1.4
ffmpeg-python==0.1.18

[andrewsg]

Thank you! Based on this traceback, it does look like the issue is in google-auth. I'm afraid I have to close this bug on the Storage side, but hopefully the Auth library folks will be able to help.

[laszlocph]

Looks like newer google-auth versions are able to handle this.

Support was added in googleapis/google-auth-library-python#762

Can you see if you use the latest google-auth version @andrewsg

[andrewsg]

@laszlocph The setup.py for this package does not require an updated version of google-auth but it does not preclude it either. Typically pip will install the most recent compatible version, and if it didn't in your case there must be a specific reason. Can you tell me what version of google-auth is installed on your system in particular?