-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(IAM) Service account key created with python can't be used with the client #7824
(IAM) Service account key created with python can't be used with the client #7824
Comments
First, we don't (yet) have support for the full IAM API here, which is why your example has to use the older Looking at those docs: the payload returned by To get the "JSON service account file" format, you need to pass the iam_service = googleapiclient.discovery.build('iam', 'v1')
request_body = {
'privateKeyType': 'TYPE_GOOGLE_CREDENTIALS_FILE', # might need to be 3?
}
key = iam_service.projects().serviceAccounts().keys().create(
name='projects/-/serviceAccounts/' + service_account_email,
body=request_body
).execute() And then use the with open("service_account.json", 'w') as key_file:
key_file.write(json.dumps(key['privateKeyData'])) If that doesn't work for you, please use one of the resources on the IAM API support page to get better support for your usecase. |
TYPE_GOOGLE_CREDENTIALS_FILE seems to be the default according to https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountPrivateKeyType I'll put in a support request. thanks for the help! |
I have exact same issue where freshly created service account key is failing to get loaded into credentials with @adamdavis40208 kindly pls if you submitted this issue 'elsewhere' do post a reference here or PM me. Thanks! Evidence: request=iam.projects().serviceAccounts().keys().create(name=ret['name'],
body={'privateKeyType':'TYPE_GOOGLE_CREDENTIALS_FILE'})
key=request.execute()
>>> print json.dumps(key, indent=4) #just to verify what we got
{
"keyOrigin": "GOOGLE_PROVIDED",
"name": "goodandvalidname",
"validBeforeTime": "2029-06-28T15:09:59Z",
"privateKeyData": "datadata",
"privateKeyType": "TYPE_GOOGLE_CREDENTIALS_FILE",
"keyAlgorithm": "KEY_ALG_RSA_2048",
"validAfterTime": "2019-07-01T15:09:59Z"
}
>>> credentials = google.oauth2.service_account.Credentials.from_service_account_info(key)
Traceback (most recent call last):
File "/home/user/.p2/pool/plugins/org.python.pydev.core_7.2.1.201904261721/pysrc/_pydevd_bundle/pydevd_exec.py", line 3, in Exec
exec exp in global_vars, local_vars
File "<console>", line 1, in <module>
File "/home/user/.local/lib/python2.7/site-packages/google/oauth2/service_account.py", line 193, in from_service_account_info
info, require=['client_email', 'token_uri'])
File "/home/user/.local/lib/python2.7/site-packages/google/auth/_service_account_info.py", line 51, in from_dict
'fields {}.'.format(', '.join(missing)))
ValueError: Service account info was not in the expected format, missing fields token_uri, client_email. |
Answering my own issue and probably helping others... The 'key' we get from python APIs is NOT the 'json key' as obtained from The data in this field is base64 encoded and needs decoding, and subsequently dumping to json. Below is the snippet from functional code, demonstrating the credentials are loaded back from such key: request=iam.projects().serviceAccounts().keys().create(name=ret['name'],
body={'privateKeyType':'TYPE_GOOGLE_CREDENTIALS_FILE'})
key=request.execute()
key=base64.decodestring(key['privateKeyData'])
key=json.loads(key)
credentials = google.oauth2.service_account.Credentials.from_service_account_info(key) I figured this out by stepping thru |
I went with a gcloud subprocess. I'm not sure about the status of the request, I'll reach out to my gcp TAM |
I'm trying to attempt to create a service account, give it permissions, and then use it, all at once.
The issue that I'm running into is that generating the service account json, and then loading that json seem to be two differing formats.
There are two formats to the service account file.
Generating one with the python client, and then trying to re-use that with the SDK produces this error:
ValueError: Service account info was not in the expected format, missing fields token_uri, client_email.
The auth documentation page says:
But that doesn't seem to be true.
Is there a way you can generate a service account json in the python SDK and then use that in the python SDK?
Sample code:
The text was updated successfully, but these errors were encountered: