Service account to JWT token upgrade fails when no scopes provided

[jskeet]

Apologies for the poor wording - I don't know enough about the details to term this properly.

Here's a small piece of code using the Monitoring library at https://github.com/GoogleCloudPlatform/google-cloud-java

package monitoringbug;

import com.google.api.MetricDescriptor;
import com.google.cloud.monitoring.spi.v3.MetricServiceApi;

public class App 
{
    public static void main( String[] args ) throws Exception
    {
        System.out.println("Environment: " + System.getenv("GOOGLE_APPLICATION_CREDENTIALS"));
        MetricServiceApi api = MetricServiceApi.create();
        System.out.println("Created API");
        for (MetricDescriptor descriptor : api.listMetricDescriptors("projects/jonskeet-uberproject", "").iterateAllElements()) {
            System.out.println(descriptor);
        }
        System.out.println("Done");
    }
}

Without GOOGLE_APPLICATION_CREDENTIALS set, this runs and outputs some metric descriptors. With the environment variable set to my service account JSON file, I get:

Exception in thread "main" com.google.api.gax.grpc.ApiException: io.grpc.StatusRuntimeException: UNAUTHENTICATED
	at com.google.api.gax.grpc.ExceptionTransformingCallable$1.onFailure(ExceptionTransformingCallable.java:91)
	at com.google.common.util.concurrent.Futures$6.run(Futures.java:1764)
	at com.google.common.util.concurrent.MoreExecutors$DirectExecutor.execute(MoreExecutors.java:456)
	at com.google.common.util.concurrent.AbstractFuture.executeListener(AbstractFuture.java:817)
	at com.google.common.util.concurrent.AbstractFuture.addListener(AbstractFuture.java:595)
	at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1776)
	at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1713)
	at com.google.api.gax.grpc.ExceptionTransformingCallable.futureCall(ExceptionTransformingCallable.java:66)
	at com.google.api.gax.grpc.RetryingCallable$Retryer.run(RetryingCallable.java:129)
	at com.google.api.gax.grpc.RetryingCallable.futureCall(RetryingCallable.java:85)
	at com.google.api.gax.grpc.ChannelBindingCallable.futureCall(ChannelBindingCallable.java:64)
	at com.google.api.gax.grpc.PageImpl.<init>(PageImpl.java:63)
	at com.google.api.gax.grpc.PagedListResponseImpl.<init>(PagedListResponseImpl.java:57)
	at com.google.api.gax.grpc.PageStreamingCallable.futureCall(PageStreamingCallable.java:64)
	at com.google.api.gax.grpc.ApiCallable.futureCall(ApiCallable.java:237)
	at com.google.api.gax.grpc.ApiCallable.futureCall(ApiCallable.java:248)
	at com.google.api.gax.grpc.ApiCallable.call(ApiCallable.java:285)
	at com.google.cloud.monitoring.spi.v3.MetricServiceApi.listMetricDescriptors(MetricServiceApi.java:563)
	at com.google.cloud.monitoring.spi.v3.MetricServiceApi.listMetricDescriptors(MetricServiceApi.java:535)
	at mavendemo.monitoring.App.main(App.java:13)
Caused by: io.grpc.StatusRuntimeException: UNAUTHENTICATED
	at io.grpc.Status.asRuntimeException(Status.java:545)
	at io.grpc.stub.ClientCalls$UnaryStreamToFuture.onClose(ClientCalls.java:442)
	at io.grpc.ClientInterceptors$CheckedForwardingClientCall.start(ClientInterceptors.java:203)
	at io.grpc.ForwardingClientCall.start(ForwardingClientCall.java:47)
	at com.google.api.gax.grpc.HeaderInterceptor$1.start(HeaderInterceptor.java:64)
	at io.grpc.stub.ClientCalls.startCall(ClientCalls.java:273)
	at io.grpc.stub.ClientCalls.asyncUnaryRequestCall(ClientCalls.java:252)
	at io.grpc.stub.ClientCalls.futureUnaryCall(ClientCalls.java:189)
	at com.google.api.gax.grpc.DirectCallable.futureCall(DirectCallable.java:58)
	at com.google.api.gax.grpc.ExceptionTransformingCallable.futureCall(ExceptionTransformingCallable.java:65)
	... 12 more
Caused by: java.io.IOException: Scopes not configured for service account. Scoped should be specifed by calling createScoped or passing scopes to constructor.
	at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:186)
	at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:97)
	at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:74)
	at io.grpc.auth.ClientAuthInterceptor.getRequestMetadata(ClientAuthInterceptor.java:150)
	at io.grpc.auth.ClientAuthInterceptor.access$100(ClientAuthInterceptor.java:64)
	at io.grpc.auth.ClientAuthInterceptor$1.checkedStart(ClientAuthInterceptor.java:96)
	at io.grpc.ClientInterceptors$CheckedForwardingClientCall.start(ClientInterceptors.java:195)
	... 19 more

This is due to the scopes not being configured in the generated code - we're fixing that side of things, but we gather that gRPC design should allow service accounts to work without scopes being configured, as part of using JWT tokens.

The same failure occurs in C#, which is obviously a separate implementation - I'll be filing a separate bug for that.

[ejona86]

ClientAuthInterceptor doesn't automatically convert to using JWT. The credential you provide has to be JWT. However, that interceptor is deprecated. If you use MoreCallCredentials.from(Credentials), then it will use a JWT if the credential has no scopes.