Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Works only for some scopes #49

Open
martindurant opened this issue Nov 19, 2021 · 7 comments
Open

Works only for some scopes #49

martindurant opened this issue Nov 19, 2021 · 7 comments
Assignees
@tswast

Comments

@martindurant
Copy link

martindurant commented Nov 19, 2021
edited
Loading

The following line works OK for me to get credentials for gdrive:

pydata_google_auth.get_user_credentials(
    ["https://www.googleapis.com/auth/drive"])

but the following line

pydata_google_auth.get_user_credentials(
    ["https://www.googleapis.com/auth/devstorage.read_write"])

results in
Screen Shot 2021-11-19 at 15 25 57

(same for "read_only" or "full_control").

Ref: fsspec/gcsfs#261
@tswast
Copy link
Collaborator

tswast commented Dec 1, 2021

I'll see what I can do to get the app re-verified for this scope.

FWIW, I'd expect https://www.googleapis.com/auth/cloud-platform scope to work which provides a similar level of access.

@martindurant
Copy link
Author

Isn't that a much broader level of permission? Have you seen that scope working?

@tswast
Copy link
Collaborator

tswast commented Dec 1, 2021
edited
Loading

I'm not sure how much broader it is. It's actually quite difficult to verify what access is and isn't granted with regards to scopes. For this reason, Google Cloud hasn't introduced new scopes in a long time. You'll notice that most of the products in https://developers.google.com/identity/protocols/oauth2/scopes only support https://www.googleapis.com/auth/cloud-platform or https://www.googleapis.com/auth/cloud-platform.read-only.

For applications that require narrow permissions service accounts with limited IAM permissions are the expected way to limit access. There's a little "delegated request permissions with short-lived token" dance you can do to exchange one kind of credentials for the credentials of a service account with limited permissions. https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-delegated

@tswast
Copy link
Collaborator

tswast commented Dec 1, 2021

That all said, I can request "https://www.googleapis.com/auth/devstorage.read_write" permissions for the pydata-google-auth app. I'll just need to provide sufficient justification and check that our privacy policy is up-to-date.

@martindurant
Copy link
Author

most of the products in https://developers.google.com/identity/protocols/oauth2/scopes only support https://www.googleapis.com/auth/cloud-platform

That's probably good enough for me

@tswast
Copy link
Collaborator

tswast commented Dec 1, 2021

Looks like I need to re-submit for verification anyway. Somehow it lost it.

@tswast tswast self-assigned this Dec 1, 2021
@martindurant
Copy link
Author

Please let me know when this happens.

@tswast tswast mentioned this issue Jan 24, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tswast tswast

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tswast @martindurant