-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Google.Apis.Auth.OAuth2.ImpersonatedCredentials #1312
Comments
Can we make sure it works with this ServiceAccountCredential (Auth) code! I think here is the similar class: |
This would be wonderful for development scenarios |
Assigning to Amanda to see whether this is covered by existing auth work and/or other languages. |
Note to self: impersonated credentials should be OIDC token providers as well. |
This issue has been moved to the backlog in #1719 . Please refer to BACKLOG.md for more information. |
Being adressed in #1838 . |
@arithmetic1728 not sure why I can't assign this one to you. I'll take a look later. |
FYI: This has been released on the v1.52.0 of the Google.Apis libraries. @salrashid123 If you try it out and find any issues, do let us know. Thanks! FYI: @arithmetic1728 . |
When was 1.52 released?
I had no issues using the impersonation from a while
Zunair
…________________________________
From: Amanda Tarafa Mas ***@***.***>
Sent: Tuesday, June 15, 2021, 12:03 PM
To: googleapis/google-api-dotnet-client
Cc: Zunair; Comment
Subject: Re: [googleapis/google-api-dotnet-client] Implement Google.Apis.Auth.OAuth2.ImpersonatedCredentials (#1312)
FYI: This has been released on the v1.52.0 of the Google.Apis libraries.
@salrashid123<https://github.com/salrashid123> If you try it out and find any issues, do let us know. Thanks!
FYI: @arithmetic1728<https://github.com/arithmetic1728> .
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#1312 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAIKEERO7ABD4HKVBRIYM5TTS52UDANCNFSM4GGH23ZA>.
|
@Zunair v1.52.0 was released an hour ago roughly and before that the Google.Apis.Auth library didn't support impersonation. Are you referring to Domain Wide Delegation? That has been supported for a long time, without any issues. |
Ah ok, yes I confused it with domain wide delegation. Thanks! |
thx. confirmed it works with storage, oauth2 api library and id token as impersonated creds public async Task<string> Run()
{
Stream jsonKey = System.IO.File.OpenRead("/path/to/svc.json");
string targetPrincipal = "impersonated-account@project.iam.gserviceaccount.com";
//GoogleCredential sourceCredential = GoogleCredential.GetApplicationDefault();
GoogleCredential sourceCredential = GoogleCredential.FromStream(jsonKey);
var credential = sourceCredential.Impersonate(new ImpersonatedCredential.Initializer(targetPrincipal)
{
DelegateAccounts = new string[] { },
Scopes = new string[] { "https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/devstorage.read_only" },
Lifetime = TimeSpan.FromHours(1)
});
var service = new Oauth2Service(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = "Oauth2 Sample",
});
Console.WriteLine(service.Userinfo.Get().Execute().Email);
var targetAudience = "https://myapp-6w42z6vi3q-uc.a.run.app";
OidcToken oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience(targetAudience).WithTokenFormat(OidcTokenFormat.Standard)).ConfigureAwait(false);
string token = await oidcToken.GetAccessTokenAsync().ConfigureAwait(false);
Console.WriteLine(token);
// b) For Google Cloud APIs:
var client = StorageClient.Create(credential);
foreach (var obj in client.ListObjects("fabled-ray-104117", ""))
{
Console.WriteLine(obj.Name);
}
return null;
}
} |
Allows one user or service account to impersonate another using iamcredentials api.
I don't know dotnet well but took a shot at implementation here which works:
Google.Apis.Auth.OAuth2.ImpersonatedCredentials.cs
THe snippet above does work with a client like this in the sense i get the correct derived
access_token
but i don't know enough about dotnet package references to allow passing it into
If you want to set it up, here are some gcloud commands to setup impersonation credentials:
Setup: https://gist.github.com/salrashid123/d3f4055496ffcfa18221aadd9c14e7e9
its already implemented or pending for several other languages:
ref:
The text was updated successfully, but these errors were encountered: