0

I am following instructions as per link to use Service account authorization without OAuth to create a key ring. https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth

I am getting an authorization error: Here's my command. I am running this through a Java code to to generate a JWT bearer token and invoking curl.

curl --request POST   https://cloudkms.googleapis.com/v1/projects/<project ID>/locations/global/keyRings?keyRingId=<value> --header Authorization: Bearer <JWT bearer token>  --header Accept: application/json --header Content-Type: application/json --data {} --compressed

Erroe message: 

POST Response Code :  401
POST Response Message : Unauthorized
POST NOT WORKED

If I use server-to-server OAuth2 method and post with a access token generated using OAUTH2 playgorund, the call is successful. Will the JWT bearer token method will work for KMS?

sethvargo
  • 26,739
  • 10
  • 86
  • 156
Srinivasan Vanamali
  • 1
  • What type of token are you using and how is it generated? You need to create an Access Token (which is OAuth by the way). Typically, when someone says JWT Bearer Token they mean Signed JWT. You need to first exchange the Signed JWT for an Acess Token. Then use that in your Authorization header. I wrote an article that explains these steps in more detail: https://www.jhanley.com/google-cloud-creating-oauth-access-tokens-for-rest-api-calls/ – John Hanley Feb 24 '20 at 16:43
  • JWT token using the private key generated for the service account. Yes, I understand the OAuth2 process needed to create the access token from the authz server. But the method outlined doesn't require that process. May be "Service account authorization without OAuth" with only work if you are using native Java API and not over REST. – Srinivasan Vanamali Feb 24 '20 at 22:55
  • 1
    The method outlined is not supported by KMS. You must exchange the Signed JWT for an Access Token. This is very easy to do. Otherwise use the client libraries to create the Access Token. – John Hanley Feb 24 '20 at 23:51
  • Thanks for clarifying. Appreciate it John. – Srinivasan Vanamali Feb 25 '20 at 02:03
  • FYI: In the old days were API Keys, then came Signed JWT which is only supported by some services (not all). Today, OAuth Access Tokens are the standard. Tomorrow is OAuth Identity Tokens which are now supported by a few services such as Cloud Run, Cloud Functions, Cloud Scheduler and a few more. – John Hanley Feb 25 '20 at 02:22

0 Answers0