Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service account: Cannot set user to impersonate using GoogleCredential fromStream #1007

Closed
WilsonGiese opened this issue Apr 14, 2016 · 10 comments
Closed

Service account: Cannot set user to impersonate using GoogleCredential fromStream #1007

WilsonGiese opened this issue Apr 14, 2016 · 10 comments
Assignees
@chingor13
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@WilsonGiese
Copy link

I'm trying to use a service account to automatically manage/create groups using the Directory API. When I try to use a service account with the credentials in the form of JSON and try to use the GoogleCredential.fromStream(...) call, there does not seem to be a way to set the user, and at least for the Admin API I cannot get calls to work without impersonating a user as I always get Forbidden (403) responses.

Using the GoogleCredential Builder seems to work fine with the PKCS12 formatted key as long as I set the user, but your docs and console seem to recommend to use the JSON formatted credential file.

Have I missed something, or is this functionality not available without using the builder?
@ejona86
Copy link
Contributor

ejona86 commented Apr 14, 2016

as long as I set the user

How are you going about setting the user in the PKCS12 case?

@WilsonGiese
Copy link
Author

The builder itself has a set method

See https://developers.google.com/api-client-library/java/google-api-java-client/reference/1.19.1/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.Builder#setServiceAccountUser(java.lang.String)

@abhishek-choudhury
Copy link

Hey Wilson,

Did you get a response on this issue?
Am facing the exact same thing. I wonder how one can set a service account ID whilst building GoogleCredential fromStream.

@WilsonGiese
Copy link
Author

@abhishek-choudhury No, I never heard anything. I resorted to using the builder with a PKCS12 file.

@abhishek-choudhury
Copy link

@WilsonGiese Thanks for your response Wilson!
I'll go back to P12 too in that case.

@netp-dany
Copy link

netp-dany commented Dec 1, 2016
edited by mattwhisenhunt
Loading

Hi,

There is a work around, please have a look at the code below.
In case you really need to use json.

public GoogleCredential getCredentials(HttpTransport httpTransport, JsonFactory jsonFactory) throws GeneralSecurityException, IOException {
    List<String> scopes = new ArrayList<>();
    scopes.add(DirectoryScopes.ADMIN_DIRECTORY_USER);
    scopes.add(DirectoryScopes.ADMIN_DIRECTORY_USER_READONLY);

    InputStream credentialsJSON = ServiceAccountCredentials.class.getClassLoader()
            .getResourceAsStream("service_account.json");

    GoogleCredential gcFromJson = GoogleCredential.fromStream(credentialsJSON, httpTransport, jsonFactory).createScoped(scopes);

    return new GoogleCredential.Builder()
            .setTransport(gcFromJson.getTransport())
            .setJsonFactory(gcFromJson.getJsonFactory())
            .setServiceAccountId(gcFromJson.getServiceAccountId())
            .setServiceAccountUser("[email protected]")
            .setServiceAccountPrivateKey(gcFromJson.getServiceAccountPrivateKey())
            .setServiceAccountScopes(gcFromJson.getServiceAccountScopes())
            .build();
}

@sanbornick
Copy link

JSON all the things! The console will issue JSON by default and make you dig for P12's. Lets go future! Except here. Don't look here.

This issue has only been open for a year I guess...

@sanbornick sanbornick mentioned this issue Mar 1, 2017
Closed
@nddipiazza
Copy link

nddipiazza commented Jul 27, 2017
edited
Loading

@netp-dany awesome! i've been looking for hours for an example. aka you're a f*king genius

@nbali
Copy link

nbali commented Jan 6, 2018
edited
Loading

Will one of the PRs aimed at solving this will be merged? #1036 and/or #1079?

@mattwhisenhunt mattwhisenhunt added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. status: investigating labels Jan 8, 2018
netp-dany added a commit to netp-dany/google-api-java-client that referenced this issue May 25, 2018
@netp-dany
googleapis#1007 - adding option to impersonate a user with backward c…
ae2d8db 
…ompatibility
@netp-dany netp-dany mentioned this issue May 25, 2018
Closed
@JustinBeckwith JustinBeckwith added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. 🚨 This issue needs some love. and removed status: investigating priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Jun 7, 2018
@JustinBeckwith JustinBeckwith removed the 🚨 This issue needs some love. label Jun 25, 2018
@chingor13
Copy link
Collaborator

Fixed in #1079

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chingor13 chingor13

Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@chingor13 @JustinBeckwith @nbali @sanbornick @WilsonGiese @nddipiazza @ejona86 @mattwhisenhunt @abhishek-choudhury @netp-dany