0

I'm trying to create a cloud function, NodeJS based, that use domain wide delegation access to consume the API method gmail.users.settings.delegates.list.

I looking for a solution that does not use the service account JSON key, i want to use default credential instead.

I configure my local env to emulate the cloud function env using this launch.json file

{
    "version": "0.2.0",
    "configurations": [
        {
            "type": "node",
            "request": "launch",
            "name": "Launch usersOnBehalfCheck",
            "skipFiles": [
                "<node_internals>/**"
            ],
            "env": {
                "GCP_PROJECT":"projectId",
                "GOOGLE_APPLICATION_CREDENTIALS": "pathToJsonFile.json"
            },
            "program": "${workspaceFolder}/index.js"
        }
    ]
}

Printing out the GOOGLE_APPLICATION_CREDENTIALS env variable into GCF seems this variable doesn't exists at all but I don't understand how to better simulate the GCF env

Talking about the auth object, I found two ways:

First:

const gmailDWDAuth = new GoogleAuth({ clientOptions: { subject: inputData.userPrimaryEmail }, scopes: ['https://www.googleapis.com/auth/gmail.settings.basic'] });

console.info({ gmailDWDAuth: gmailDWDAuth }, null, 2);
return gmail.users.settings.delegates.list({ userId: 'me', auth: gmailDWDAuth })

Second:

const gmailDWDAuth = await google.auth.getClient({ clientOptions: { subject: inputData.userPrimaryEmail }, scopes: ['https://www.googleapis.com/auth/gmail.settings.basic'] });

console.info({ gmailDWDAuth: gmailDWDAuth }, null, 2);
return gmail.users.settings.delegates.list({ userId: 'me', auth: gmailDWDAuth })

inputData.userPrimaryEmail contain a valid GSuite account in the same organization of the service account.

both ways works fine locally but stop working, with Bad Request error, when I published the GCF into GCP .

can anyone help?

EDIT

after some hours I found this post speaks about it

I modified my code following his instruction

Third:

    
const DWDAuth = await google.auth.getClient({ scopes: ['https://www.googleapis.com/auth/gmail.settings.basic'] });
DWDAuth.subject = inputData.userPrimaryEmail;
console.info(util.inspect({ DWDAuth: DWDAuth }));

return gmail.users.settings.delegates.list({ userId: inputData.userPrimaryEmail, auth: DWDAuth })

Fourth:

    
const DWDAuth = new GoogleAuth({ scopes: ['https://www.googleapis.com/auth/gmail.settings.basic'] });
const DWDAuthClient = await DWDAuth.getClient();
DWDAuthClient.subject = inputData.userPrimaryEmail;

console.info(util.inspect({ DWDAuthClient: DWDAuthClient }));

return gmail.users.settings.delegates.list({ userId: inputData.userPrimaryEmail, auth: DWDAuthClient })

as before, all of these works fine locally but I get bad request into GCF

Community
  • 1
  • 1
Ryuk Ryuk
  • 23
  • 5
  • 1) `GOOGLE_APPLICATION_CREDENTIALS` does not exist in Cloud Functions. The credentials come from the Google Metadata server and are derived from the service account that you assigned to Cloud Functions. 2) You do not have access to the Private Key for metadata credentials. You must use your own service account JSON key file to implement Domain Wide Delegation. I recommend storing the key file encrypted and protected by Key Vault. – John Hanley Jan 05 '20 at 18:16
  • Exactly, the JSON key file comes with some problems. It could be stolen, could be invalidated and, of course, must be stored extremely securely if it has domain wide delegation active. All these are exactly the reasons why I would like to do not use it. Have you read the last link I posted? They said that it is possible but, again, it doesn't work :( – Ryuk Ryuk Jan 05 '20 at 18:44
  • App Engine and Cloud Functions have entirely different environments. There is no management API with Cloud Functions. As I said, you do not have access to the private key. This means that your code would need to request Google to sign your requests. This does not work for delegation of a default service account from the metadata server. I have written many articles and deep dives on Google Cloud Credentials: https://www.jhanley.com/ – John Hanley Jan 05 '20 at 18:54

0 Answers0