You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Then I can use my credentials to call the calendar API as an impersonated user. This code works fine if I use credentials stored in a private key, but If I try to run it in App Engine, Cloud Run, GCE VM etc. Subject field is silently ignored and which leads to some hard to diagnose errors, e.g. "Error : invalid conference type value while creating event with google meet link" (As explained here this is because account to impersonate is not provided: https://issuetracker.google.com/issues/187572926#comment4)
if metadata.OnGCE() {
id, _ := metadata.ProjectID()
if params.Subject != "" {
return nil, errors.New("google: Can't use Subject param with GCE credentials")
}
return &DefaultCredentials{
ProjectID: id,
TokenSource: ComputeTokenSource("", params.Scopes...),
}, nil
}
Note that I am requesting to just fail explicitly when trying to use unsupported features. To actually get domain delegation working for this kind of credentials I just used a custom TokenSource created by modifyning jwt.go to use signJWT endpoint instead of signing it locally: https://gist.github.com/kramarz/6d132c34372614570fd5808335ba4a9c
The text was updated successfully, but these errors were encountered:
The issue is that when I want to use a domain wide delegation with GCP service account I need to use
Then I can use my credentials to call the calendar API as an impersonated user. This code works fine if I use credentials stored in a private key, but If I try to run it in App Engine, Cloud Run, GCE VM etc.
Subject
field is silently ignored and which leads to some hard to diagnose errors, e.g. "Error : invalid conference type value while creating event with google meet link" (As explained here this is because account to impersonate is not provided: https://issuetracker.google.com/issues/187572926#comment4)It would be a much better experience saving hours of troubleshooting if creating credentials would return an error if an unsupported parameter is provided here: https://cs.opensource.google/go/x/oauth2/+/master:google/default.go;l=114;drc=e07593a4c41a489556d019d1ad4d82e9ee66b4a7;bpv=0;bpt=1
Something like that would be great:
Note that I am requesting to just fail explicitly when trying to use unsupported features. To actually get domain delegation working for this kind of credentials I just used a custom TokenSource created by modifyning jwt.go to use signJWT endpoint instead of signing it locally: https://gist.github.com/kramarz/6d132c34372614570fd5808335ba4a9c
The text was updated successfully, but these errors were encountered: