Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Documentation About Using Delegated Credential With Service Account #1699

Open
melvinkcx opened this issue May 7, 2019 · 3 comments
Labels

Comments

@melvinkcx
Copy link

@melvinkcx melvinkcx commented May 7, 2019

In this guide, it provides code example to use delegated domain-wide authority in Python.

from google.oauth2 import service_account

SCOPES = ['https://www.googleapis.com/auth/sqlservice.admin']
SERVICE_ACCOUNT_FILE = '/path/to/service.json'

credentials = service_account.Credentials.from_service_account_file(
        SERVICE_ACCOUNT_FILE, scopes=SCOPES)

delegated_credentials = credentials.with_subject('user@example.org')

However, this seems to be non-existent in this Nodejs client lib. I spent some time navigating the source code before I managed to use delegated credential in Nodejs.

Hence, I suggest we supplement this piece of information in the README.

@melvinkcx melvinkcx changed the title Add Documentation For Using Delegated Credential With Service Account Add Documentation About Using Delegated Credential With Service Account May 7, 2019
@goooseman

This comment has been minimized.

Copy link

@goooseman goooseman commented May 22, 2019

Oh, I've just spent 4 hours searching for it.

Here is the code sample:

const getAdminApi = async () => {
  const auth = await google.auth.getClient({
    scopes: ["https://www.googleapis.com/auth/admin.directory.user"],
  });
  // Yep, that's weird. But we need it. And yes, there is no such parameter nor in docs nor in typings
  // But we need it, believe me. Spent 4 hours searching for it
  // https://stackoverflow.com/questions/50335892/how-to-impersonate-an-admin-user-when-using-getclient-in-the-google-api-nodejs
  // @ts-ignore
  auth.subject = process.env.GOOGLE_ADMIN_EMAIL;
  return google.admin({
    version: "directory_v1",
    auth,
  });
};

export const createUser = async ({
  email,
  username,
  password,
}: {
  email: string;
  password: string;
  username: UserName;
}) => {
  const adminApi = await getAdminApi();
  const { data: user } = await adminApi.users.insert({
    requestBody: {
      password: md5(password),
      hashFunction: "MD5",
      primaryEmail: email,
      name: username,
    },
  });
  user.password = password;
  return user;
};

Property subject does not exists in authClient regarding the docs or typings. But it exists and it works!

@goooseman

This comment has been minimized.

Copy link

@goooseman goooseman commented May 22, 2019

Ok, it does exists in typings:
https://github.com/googleapis/google-auth-library-nodejs/blob/37bb8c7cd0a6501103274284d9cddd6816cc881e/src/auth/jwtclient.ts#L36

So I've rewritten my code without using @ts-ignore by manually selecting JWT class for Auth client:

import { JWT } from "google-auth-library";

  const auth = (await google.auth.getClient({
    scopes: ["https://www.googleapis.com/auth/admin.directory.user"],
  })) as JWT;

  auth.subject = process.env.GOOGLE_ADMIN_EMAIL;

But anyway it should be mentioned in the docs, because users trying to access directory API to create or manipulate users in their G Suite SDK will face unrecognized 403 error and in all these guides: 1, 2 is not written about providing subject.

Ok, in one of them it is said, that you need to impersonate your service account with admin account, but it is not possible to find anything by "impersonate" keyword in this repo.

@bcoe

This comment has been minimized.

Copy link
Contributor

@bcoe bcoe commented Jun 4, 2019

@goooseman 👋 do you think it would be sufficient to add another example in samples/ demonstrating the approach you outline? Any interest in making a PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.