2

I have created a workload identity pool with a third-party (auth0) provider. I have configured my service account with a domain-wide delegation and have enabled GMAIL API as well. I could generate STS token successfully but while executing mail client it's giving me an error. Previously with the service account approach, I used to provide email as subject to delegate access to the service account. Since I am using workload identity (to eliminate keys), I am getting an error "precondition check failed".

What are the limitations of the Workload Identity federation? Can we access user data(mail/drive files) if we have enabled domain-wide delegation for the service accounts being used for the Workload identity federation?

I am attaching snippet here :

 async function main2(){
     const authClient = google.auth.ExternalAccountClient.fromJSON(jsonConfig);


     authClient.scopes = ['https://www.googleapis.com/auth/gmail.readonly', 
           'https://www.googleapis.com/auth/cloud-platform'];

      const gmail = google.gmail({
         auth: authClient,
         version: 'v1'
       });

      const response = await gmail.users.getProfile({
          userId : 'abc@domain.com'
          });

  console.log(response);
}

JSON config contains client library config. I am using the node.js client library.

My use case is to take these configs from clients(mostly orgs) to access sheets, drive, email of their users.

knucklehead
  • 21
  • 2
  • I do not think you can. How will you set the **subject**? However, I have not tried to do this. – John Hanley Mar 24 '22 at 17:18
  • @JohnHanley Yes; I won't be able to pass the subject. I was hoping if there was any way to do so. I tried a workaround. I signed JWT using the above method which delegates service account authority to a new sub. And then created a post-call using that signed JWT JSON to retrieve an access token. I was able to access the required data using this way. But I was hoping for any proper solution was there. await iamCredentialsClient.projects.serviceAccounts.signJwt({{.... }) I used this to generate signed JWT. I don't know if this is right way to do that. – knucklehead Mar 28 '22 at 06:37
  • Yes, using signJwt is the correct method. I often recommend that method when the private key is not available. I just have not tested that with Workload Identity Federation. – John Hanley Mar 28 '22 at 17:01
  • @JohnHanley yep, Thanks for the input. I had confused if I am going with the right solution. Thanks for the help. P.S: This was my first question StackOverflow – knucklehead Mar 29 '22 at 04:58
  • You picked a challenging topic. Post an answer with your solution. There is a lot of interest in both Workload Identity Federation and Domain Wide Delegation separately and together. – John Hanley Mar 29 '22 at 05:12
  • @knucklehead, any update on how you got this to work? I've run into the same issue and could use some guidance getting this to work. – user3766476 Jan 05 '23 at 14:13

0 Answers0