Implement Google.Apis.Auth.OAuth2.ImpersonatedCredentials

[salrashid123]

Allows one user or service account to impersonate another using iamcredentials api.

Impersonated Credentials allows credentials issued to a user or
service account to impersonate another. The target service account must
grant the originating credential principal the
`Service Account Token Creator`_ IAM role:
For more information about Token Creator IAM role and
IAMCredentials API, see

• https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role
• https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials

---

I don't know dotnet well but took a shot at implementation here which works:

Google.Apis.Auth.OAuth2.ImpersonatedCredentials.cs

• https://gist.github.com/salrashid123/10f9c90caddcaab61fb6e5767debe050

---

THe snippet above does work with a client like this in the sense i get the correct derived access_token

Stream jsonKey = System.IO.File.OpenRead("mineral-minutia-820-83b3ce7dcddb.json");
GoogleCredential sourceCredentials = GoogleCredential.FromStream(jsonKey);

string targetPrincipal = "impersonated-account@fabled-ray-104117.iam.gserviceaccount.com";
string[] scopes = { "https://www.googleapis.com/auth/devstorage.read_only" };
string[] delegates = { };
int lifetime = 3600;

GoogleCredential targetCredentials = GoogleCredential.ToImpersonatedCredentials(
                sourceCredentials,
                targetPrincipal,
                scopes,
                delegates,
                lifetime
);

string accessToken = await (targetCredentials as ITokenAccess).GetAccessTokenForRequestAsync();
Console.WriteLine(accessToken);

ImpersonatedCredential impersonatedCredential = new ImpersonatedCredential(new ImpersonatedCredential.Initializer
            {
                SourceCredential = sourceCredentials,
                TargetPrincipal = targetPrincipal,
                Scopes = scopes,
                Delegates = delegates,
                Lifetime = lifetime
            });

accessToken = await (impersonatedCredential as ITokenAccess).GetAccessTokenForRequestAsync();
Console.WriteLine(accessToken);

but i don't know enough about dotnet package references to allow passing it into

var client = StorageClient.Create(targetCredentials);
foreach (var obj in client.ListBuckets("mineral-minutia-820"))
{
    Console.WriteLine(obj.Name);
}

---

If you want to set it up, here are some gcloud commands to setup impersonation credentials:

Setup: https://gist.github.com/salrashid123/d3f4055496ffcfa18221aadd9c14e7e9

---

its already implemented or pending for several other languages:

ref:

• python: implemented
• java implemented; live next release
• golang on review
• nodejs: working sample

[Zunair]

Can we make sure it works with this ServiceAccountCredential (Auth) code!
https://stackoverflow.com/questions/54868344/batch-request-sendas-emails

I think here is the similar class:
https://github.com/gillissm/Paragon.Sitecore.ChartByGoogle/blob/e18fd3ef857f2f423cdfa9d1cc02bb0a37ba77e2/src/Paragon.GoogleAnalytics.Factory/AuthorizationFactory/GoogleAuthorizationFactory.cs

[NinoFloris]

This would be wonderful for development scenarios

[jskeet]

Assigning to Amanda to see whether this is covered by existing auth work and/or other languages.

[amanda-tarafa]

Note to self: impersonated credentials should be OIDC token providers as well.

[amanda-tarafa]

This issue has been moved to the backlog in #1719 . Please refer to BACKLOG.md for more information.

[amanda-tarafa]

Being adressed in #1838 .

[amanda-tarafa]

@arithmetic1728 not sure why I can't assign this one to you. I'll take a look later.

[amanda-tarafa]

Closing via #1838 and #1874

[amanda-tarafa]

FYI: This has been released on the v1.52.0 of the Google.Apis libraries.

@salrashid123 If you try it out and find any issues, do let us know. Thanks!

FYI: @arithmetic1728 .

[Zunair]

When was 1.52 released? I had no issues using the impersonation from a while Zunair

…

________________________________ From: Amanda Tarafa Mas ***@***.***> Sent: Tuesday, June 15, 2021, 12:03 PM To: googleapis/google-api-dotnet-client Cc: Zunair; Comment Subject: Re: [googleapis/google-api-dotnet-client] Implement Google.Apis.Auth.OAuth2.ImpersonatedCredentials (#1312) FYI: This has been released on the v1.52.0 of the Google.Apis libraries. @salrashid123<https://github.com/salrashid123> If you try it out and find any issues, do let us know. Thanks! FYI: @arithmetic1728<https://github.com/arithmetic1728> . — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#1312 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAIKEERO7ABD4HKVBRIYM5TTS52UDANCNFSM4GGH23ZA>.

[amanda-tarafa]

@Zunair v1.52.0 was released an hour ago roughly and before that the Google.Apis.Auth library didn't support impersonation.

Are you referring to Domain Wide Delegation? That has been supported for a long time, without any issues.

[Zunair]

Ah ok, yes I confused it with domain wide delegation.

Thanks!

[salrashid123]

thx. confirmed it works with storage, oauth2 api library and id token as impersonated creds

        public async Task<string> Run()
        {

            Stream jsonKey = System.IO.File.OpenRead("/path/to/svc.json");

            string targetPrincipal = "impersonated-account@project.iam.gserviceaccount.com";
            //GoogleCredential sourceCredential = GoogleCredential.GetApplicationDefault();
            GoogleCredential sourceCredential = GoogleCredential.FromStream(jsonKey);

            var credential = sourceCredential.Impersonate(new ImpersonatedCredential.Initializer(targetPrincipal)
            {
                DelegateAccounts = new string[] { },
                Scopes = new string[] { "https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/devstorage.read_only" },
                Lifetime = TimeSpan.FromHours(1)
            });

            var service = new Oauth2Service(new BaseClientService.Initializer()
            {
                HttpClientInitializer = credential,
                ApplicationName = "Oauth2 Sample",
            });
            Console.WriteLine(service.Userinfo.Get().Execute().Email);

            var targetAudience = "https://myapp-6w42z6vi3q-uc.a.run.app";
            OidcToken oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience(targetAudience).WithTokenFormat(OidcTokenFormat.Standard)).ConfigureAwait(false);

            string token = await oidcToken.GetAccessTokenAsync().ConfigureAwait(false);
            Console.WriteLine(token);

            // b) For Google Cloud APIs:

            var client = StorageClient.Create(credential);
            foreach (var obj in client.ListObjects("fabled-ray-104117", ""))
            {
                Console.WriteLine(obj.Name);
            }
            return null;
        }
    }