You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Linked to the #468 and the PR #469, especially following the comment of @silvolu, I would like to propose another approach, this time compliant with IAP.
This method required to use a service account, and not the user credential. By default, I propose to use the Compute Engine default service account of the current quotas project id.
The user can override this value by setting an environment variable SERVICE_ACCOUNT_APPLICATION_CREDENTIALS with the email of the service account to use.
The token is generated by calling the Service Account Credentials API generateIdToken method. I propose to reuse the existing method from IamUtils class
Because this method won't use the user credential (role and autorisation) and because it could be a trap for the user, I propose to print clear a warning message the first time that the id_token is generated. In addition, this message informs the users that they need to have the Service Account Token Creator role granted on the service account (printed in the logs also).
I will be happy to discuss about this in this issue or in the coming PR (I worked on the code to validate the feasibility)
Best
The text was updated successfully, but these errors were encountered:
Linked to the #468 and the PR #469, especially following the comment of @silvolu, I would like to propose another approach, this time compliant with IAP.
Instead of using the user credential to create an id_token with generic client_id and client_secret, I propose to use the Service Account Credentials API generateIdToken method.
This method required to use a service account, and not the user credential. By default, I propose to use the Compute Engine default service account of the current quotas project id.
The user can override this value by setting an environment variable
SERVICE_ACCOUNT_APPLICATION_CREDENTIALS
with the email of the service account to use.The token is generated by calling the Service Account Credentials API generateIdToken method. I propose to reuse the existing method from IamUtils class
Because this method won't use the user credential (role and autorisation) and because it could be a trap for the user, I propose to print clear a warning message the first time that the id_token is generated. In addition, this message informs the users that they need to have the Service Account Token Creator role granted on the service account (printed in the logs also).
I will be happy to discuss about this in this issue or in the coming PR (I worked on the code to validate the feasibility)
Best
The text was updated successfully, but these errors were encountered: