You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem Summary
Currently we create delegated credentials using downloaded ServiceAccount keys.
We learned that the python auth library supports using the Application Default Credential (ADC)
to generate delegated credentials, thus avoiding private key downloads which is a security risk.
The java library apparently does not support this feature.
Use Case Details
We have a service account S, that has domain-wide delegation permission our our domain as user U.
We have downloaded a ServiceAccount key for S, and use it to create delegated credentials:
The python library shows that it is possible to use the ADC to generate a credential for S. A detailed example
can be found here. If this is supported in the java library, presumably the new code would look like below.
The only requirement is for the ADC to have token creator permission on service account S.
Edited on Oct 24: I was wrong saying it is possible to "use the ADC to generate a credential for S". What can be done is
as follows:
Domain-wide delegation needs to be granted to the ADC, we can no longer use the service account S.
The above being done, we can use the ADC to sign an access token for itself. We verified that this doable with AppEngine and Java using a hacked version of ServiceAccountCredentials.java
The text was updated successfully, but these errors were encountered:
Is there a workaround for this? Any other library suggestion that can help? We don't want to use service account keys to create delegated credentials. I know that with node/typescript client, we don't have to use json keys to use a service account domain-wide-delegation in GKE environment. It would be nice to have that support here too.
Problem Summary
Currently we create delegated credentials using downloaded ServiceAccount keys.
We learned that the python auth library supports using the Application Default Credential (ADC)
to generate delegated credentials, thus avoiding private key downloads which is a security risk.
The java library apparently does not support this feature.
Use Case Details
We have a service account S, that has domain-wide delegation permission our our domain as user U.
We have downloaded a ServiceAccount key for S, and use it to create delegated credentials:
The python library shows that it is possible to use the ADC to generate a credential for S. A detailed example
can be found here. If this is supported in the java library, presumably the new code would look like below.
The only requirement is for the ADC to have token creator permission on service account S.
Edited on Oct 24: I was wrong saying it is possible to "use the ADC to generate a credential for S". What can be done is
as follows:
The text was updated successfully, but these errors were encountered: