feat: Generate id_token with user credential #492
Assignees
Labels
type: feature request
‘Nice-to-have’ improvement, new feature or different behavior or design.
Comments
yoshi-automation
added
triage me
chingor13
added
the
type: feature request
yoshi-automation
removed
triage me
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Linked to the #468 and the PR #469, especially following the comment of @silvolu, I would like to propose another approach, this time compliant with IAP.
Instead of using the user credential to create an id_token with generic client_id and client_secret, I propose to use the Service Account Credentials API generateIdToken method.
This method required to use a service account, and not the user credential. By default, I propose to use the Compute Engine default service account of the current quotas project id.
The user can override this value by setting an environment variable
SERVICE_ACCOUNT_APPLICATION_CREDENTIALSwith the email of the service account to use.The token is generated by calling the Service Account Credentials API generateIdToken method. I propose to reuse the existing method from IamUtils class
Because this method won't use the user credential (role and autorisation) and because it could be a trap for the user, I propose to print clear a warning message the first time that the id_token is generated. In addition, this message informs the users that they need to have the Service Account Token Creator role granted on the service account (printed in the logs also).
I will be happy to discuss about this in this issue or in the coming PR (I worked on the code to validate the feasibility)
Best
The text was updated successfully, but these errors were encountered: