1

I want to get a generic token for a default service account. I have used the below command to get the token to get the token

gcloud auth print-identity-token projectId@appspot.gserviceaccount.com

I want to get this token programmatically. I have tried getting this token using google-auth-library but it takes the audience as cloud function url. I want to get a generic token which authenticates all cloud function, like maybe using projectId as audience.

Is there any other way to get the token or is there a way to get the generic token for the service account?

Renee
  • 199
  • 12

1 Answers1

2

If you know how the JWT is built, you can extract the audience by yourself.

  • The JWT format is: <header>.<body>.<signature>
  • each part is base 64 encoded

So, if you decode the <body> part, you can see an aud equal to 32555940559.apps.googleusercontent.com

You can reuse this audience if your other id token generation.

Update 1

As wisely mentioned by John in the comment, the gcloud default audience is like a hack implemented by Google Cloud. There is no guaranty or commitment on the future of that hack, or any further rate limit restriction.

So, use it for test, dev (and fun) but keep in mind that's not the standard way to invoke services and that could be broken in the future.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • That audience value is intended for Google tools for developers. Are there security risks, such as being blocked, for using that audience value? I don't know if this applies but in conversations with Google security engineers, they have tools that detect abuse. I would not recommend this method for production apps. For development, it does work. – John Hanley Jul 28 '23 at 19:01
  • Totally agree, I was also surprised it worked outside the gcloud token generation context. Because it's like a hack, I don't know how long it will live before Google deploy more robust alternative. – guillaume blaquiere Jul 28 '23 at 20:31
  • I agree. You correctly answer the question asked, but that is why details and context are important for questions. That often changes the answer. In any event, a cool hack that makes quick prototyping easier. – John Hanley Jul 28 '23 at 21:02
  • @guillaumeblaquiere I want identity token of a service account associated to a project. In the gcloud command mentioned in the question, it gives a token which can used to authenticate all the cloud functions inside the project but it's a command. I want to get the same token but programmatically. – Renee Jul 30 '23 at 18:11
  • @Renee - Search his other answers. He has posted Node.js code for creating Identity Tokens. Google also has examples on its website. – John Hanley Jul 30 '23 at 18:29