-
Notifications
You must be signed in to change notification settings - Fork 768
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Native service account integration when running on GCP #670
Comments
Hello, Sorry, I don't quite get your requirements fully yet, so could you clarify a bit? Best, |
Hello @fiboknacky ,
The same results as using a JSON key file (the Domain Wide Delegation method), but without having to use an actual JSON key file. When running on Google Cloud Platform, access to service accounts is provided to the application by the metadata server: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#applications This is provided by GCECredentials in google-auth-php, but by itself doesn't support impersonation/DWD the same as when using the JSON key file: however, we can get the same functionality by using the Service Account Credentials API to sign the JWT, without actually holding the private key (usually in the JSON key file), meaning the application doesn't need to hold the full set of credentials and instead can detect and use them automatically from the environment. In our working example (we've got it running on App Engine at the moment), DWDTokenSource implements FetchTokenInterface to be consumed by this AdWords API library by extending OAuth2 and switching the In my code example above, the ini file no longer contains the credentials - it only contains the For you to support this, I think it would require some changes in the underlying google-auth-php library first. |
I see and agree that the change in |
Closing this issue due to no activity. Please feel free to reopen with new information. |
We had a requirement to use the AdWords API from an application running on App Engine, but all the authentication methods described in the library require either manually generating a client ID and a refresh token for a user, or using DWD, but the latter is only supported with a JSON key file.
This kind of goes against the grain with the convention on GCP of using credentials provided by the environment, in the form of the default service account, accessible from the metadata server with additional signing capability via the Service Account Credentials API.
I've also posted an issue in the underlying authentication library, as this seems to be related to a lack of functionality there, restricting what is available in this and other libraries: googleapis/google-auth-library-php#287
We have already implemented our own method of doing this, but it would be nice to provide an official method:
In our library for running Laravel 5.5 on App Engine, we have this new class:
https://github.com/a1comms/GaeSupportLaravel/blob/php72-laravel55/src/A1comms/GaeSupportLaravel/Integration/JWT/TokenSource/DWDTokenSource.php
Which turns this example code using credentials stored in the ini file:
into this, which requires no deployed credentials (inc. JSON key files), only the email of the user you'd like to impersonate:
The text was updated successfully, but these errors were encountered: