Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use impersonated credentials with gcloud.aio.storage #685

Open
and3rson opened this issue Feb 23, 2024 · 3 comments
Open

Unable to use impersonated credentials with gcloud.aio.storage #685

and3rson opened this issue Feb 23, 2024 · 3 comments
Labels
feature

Comments

@and3rson
Copy link

and3rson commented Feb 23, 2024
edited
Loading

I need to impersonate a SA in order to be able to sign GCS URLs locally as follows:

gcloud auth application-default login --impersonate-service-account=EMAIL

However, instantiating gcloud.aio.storage.Client with such credentials fails:

  File "/REDACTED/google.py", line 163, in __init__
    self.client = Storage()
                  ^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gcloud/aio/storage/storage.py", line 168, in __init__
    self.token = token or Token(
                          ^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gcloud/aio/auth/token.py", line 265, in __init__
    super().__init__(service_file=service_file, session=session)
  File "/usr/local/lib/python3.11/site-packages/gcloud/aio/auth/token.py", line 166, in __init__
    self.token_type = Type(self.service_data['type'])
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/enum.py", line 712, in __call__
    return cls.__new__(cls, value)
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/enum.py", line 1128, in __new__
    raise ve_exc
ValueError: 'impersonated_service_account' is not a valid Type
@TheKevJames
Copy link
Member

We currently support impersonation via the target_principal and delegates Token arguments (see docs), but I'm not familiar offhand with the workflow which leads to the service_data containing the impersonation details. Would you be able to upload a (redacted, of course) copy of the SA json key file you're attempting to load? I suspect we'll just need to parse out a few different fields in that case.

@zintrepid zintrepid mentioned this issue Nov 6, 2024
Open
@zintrepid
Copy link

I had this exact issue, and I made a PR with a proposed solution: #831.

@zintrepid
Copy link

zintrepid commented Nov 6, 2024
edited
Loading

For reference, here is what the redacted SA json key looks like:

{
  "delegates": [],
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_EMAIL:generateAccessToken",
  "source_credentials": {
    "account": "USER_EMAIL",
    "client_id": "CLIENT_ID",
    "client_secret": "CLIENT_SECRET",
    "refresh_token": "REFRESH_TOKEN",
    "type": "authorized_user",
    "universe_domain": "googleapis.com"
  },
  "type": "impersonated_service_account"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Milestone
No milestone
Development

No branches or pull requests
3 participants
@and3rson @TheKevJames @zintrepid