Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GoogleAuth.sign does not work with ExternalCredentials #1215

Closed
clhuang opened this issue Jul 21, 2021 · 1 comment · Fixed by #1227
Closed

GoogleAuth.sign does not work with ExternalCredentials #1215

clhuang opened this issue Jul 21, 2021 · 1 comment · Fixed by #1227
Assignees
@bojeil-google
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@clhuang
Copy link

clhuang commented Jul 21, 2021

Environment details

  • OS: Mac OS 11.4
  • Node.js version: 14.16.1
  • npm version: 6.14.12
  • google-auth-library version: 7.3.0

Steps to reproduce

const { GoogleAuth } = require('google-auth-library');

const auth = new GoogleAuth({ keyFilename: './clientLibraryConfig.json' });
auth.sign('abc').then(console.log); // fails

output:

(node:76183) UnhandledPromiseRejectionWarning: Error: Cannot sign data without `client_email`.
    at GoogleAuth.sign (/Users/calvinhuang/scale/gcptest/node_modules/google-auth-library/build/src/auth/googleauth.js:638:19)

Attempting to use workload identity federation with cloud storage signing does not work because of this, where clientLibraryConfig.json is the config retrieved from the workload identity pools page.

it is possible to work around with a bit of a hack:

const { GoogleAuth } = require('google-auth-library');

const auth = new GoogleAuth({ keyFilename: './clientLibraryConfig.json' });
(async () => {
  await auth.getClient();
  auth.jsonContent = { client_email: 'service-account-email' };
  await auth.sign('abc').then(console.log);
})()
@chingor13 chingor13 added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Jul 21, 2021
@bojeil-google
Copy link
Contributor

Hey @clhuang, external account creds currently do not support signing blobs. The implementation currently depends on service account keys or need the service account email in order to call signBlob which is why you are seeing this error.
I think we can update the implementation to get the service account email from the service account impersonation URL if available or otherwise error.

@bcoe bcoe added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. and removed type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Jul 23, 2021
@bcoe bcoe assigned bojeil-google and unassigned silvolu Jul 23, 2021
@bojeil-google bojeil-google mentioned this issue Aug 5, 2021
Merged
bojeil-google added a commit that referenced this issue Aug 10, 2021
@bojeil-google
feat: add GoogleAuth.sign() support to external account client (#1227)
1ca3b73 
* feat: add GoogleAuth.sign() support to external account client

External account credentials previously did not support signing blobs.
The implementation previously depended on service account keys or
the service account email in order to call IAMCredentials signBlob.

When service account impersonation is used with external account
credentials, we can get the impersonated service account email and
call the signBlob API with the generated access token, provided the
token has the `iam.serviceAccounts.signBlob` permission. This is
included in the "Service Account Token Creator" role.

Fixes #1215
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bojeil-google bojeil-google

Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add GoogleAuth.sign() support to external account client
5 participants
@chingor13 @bcoe @silvolu @clhuang @bojeil-google