'Using domain-wide delegation with an attached service account in GCP
I would like to use domain-wide delegation with Google Cloud Function's attached service accounts (aka function identity). I'm using the Google Auth Client library for Node.js.
The best practices for managing service account keys discourages using service account keys for domain-wide delegation:
Although examples illustrating the use of domain-wide delegation commonly suggest the use of service account keys, using service account keys is not necessary to perform domain-wide delegation.
In another best practice document it is specifically advised to use the client libraries to obtain access tokens:
To obtain access tokens in the application, use the client libraries if possible. The client libraries automatically detect if the application is running on a compute resource with an attached service account.
The suggested process to construct and sign a JWT using the signJWT API however is manual and rather cumbersome.
After all, impersonating a user via JWT using a service account key is pretty straightforward:
const auth = new google.auth.JWT({
subject: '[email protected]',
keyFile: '/path/to/keyfile.json', // <== Use attached service account instead
scopes: [...]
})
const api = google.calendar({ version: 'v3', auth })
I was wondering whether there is an easier way to achieve this using the Google Auth library for Node.js.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|