4

We've been using the Google Directory API to get the profile of our users, on an internal app. When we authenticate, we've been using a json keyfile for a service and the google-auth-library JWT class. The service account has Domain Wide Delegation to use this endpoint. Thus, the access token needs to have it's subject set to a workspace admin.

const jwt = new JWT({
  email: key.client_email,
  key: key.private_key,
  subject: '<admin-email-address>',
  scopes: 'https://www.googleapis.com/auth/admin.directory.user.readonly',
})

const accessToken = await jwt.getAccessToken()

Our organisation is trying to shift away from using keyfiles for service accounts, and move towards GKE Workload Identity. We can authenticate using application default credentials, setting the subject in clientOptions.

const auth = new GoogleAuth({
  scopes: 'https://www.googleapis.com/auth/admin.directory.user.readonly',
  clientOptions: {
    subject: '<admin-email-address>'
  }
})

const accessToken = await auth.getAccessToken()

However, the access token created doesn't have the subject set. This means the token can't access the Directory API.

Is there a way to create a token that could, using Workload Identity?

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
ddek
  • 111
  • 1
  • 4
  • Have you checked on the guide [Configure applications to use Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to)? Also, can you provide more details on the steps you have made? – Kessy Feb 22 '22 at 09:14
  • Sure. We followed that guide when setting it up. We assigned a k8s service account to the application; created an IAM service account; added an IAM policy binding; added the annotation; and the workload runs as the service account. We verified the binding - if we connect in an interactive session we have access to the IAM account. If we use google-auth library as above, with application default credentials, we can get an access token with the scopes we need. However, we can't set the subject of this access token. Because of domain wide delegation, we need to set the subject for our use case. – ddek Feb 23 '22 at 12:14
  • Have you found a solution? We are having the same problem here :S – Luc May 30 '23 at 02:33

0 Answers0