Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to get GoogleAuth from ExternalAccountClient #1896

Closed
antspy opened this issue Nov 19, 2024 · 1 comment
Closed

How to get GoogleAuth from ExternalAccountClient #1896

antspy opened this issue Nov 19, 2024 · 1 comment
Assignees
@d-goog
Labels
type: question Request for information or clarification. Not an issue.

Comments

@antspy
Copy link

antspy commented Nov 19, 2024

Hi,

I am trying to connect to my Cloud run backend from the vercel frontend (not client side).

I have setup the workload federated identity, and the connection appears to work correctly if I run the following:

    authClient = ExternalAccountClient.fromJSON({
      type: "external_account",
      audience: `//iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID}`,
      subject_token_type: "urn:ietf:params:oauth:token-type:jwt",
      token_url: "https://sts.googleapis.com/v1/token",
      service_account_impersonation_url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GCP_SERVICE_ACCOUNT_EMAIL}:generateAccessToken`,
      subject_token_supplier: {
        // Use the Vercel OIDC token as the subject token.
        getSubjectToken: getVercelOidcToken,
      },
    });

This is fine, however what I really need is the GoogleAuth object, which I can use to get the ID token required to connect to the cloud run backend - something like this:

  const auth = new GoogleAuth({
    scopes: "https://www.googleapis.com/auth/cloud-platform",
    projectId: GCP_PROJECT_ID,
  });
const idTokenclient = await auth.getIdTokenClient(backend_url);
const response = await idTokenclient.request({ url: backend_url });

What I don't understand is how to go from the ExternalAccountClient to the GoogleAuth client. Is there a way I can pass the accessToken or some sort of credentials to the GoogleAuth call? (Which I believe right now would just try to reuse the local auth credentials from the machine, which are not available on a serverless environment?)
@d-goog d-goog self-assigned this Dec 18, 2024
@d-goog d-goog added the type: question Request for information or clarification. Not an issue. label Dec 18, 2024
@d-goog
Copy link
Collaborator

d-goog commented Dec 18, 2024

You can use GoogleAuth#fromJSON for this use case. GoogleAuth wraps AuthClients, such as ExternalAccountClient. Alternatively, you can also pass ExternalAccountClient to GoogleAuth:

const authClient = ExternalAccountClient.fromJSON();
const auth = new GoogleAuth({authClient});

@d-goog d-goog closed this as completed Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d-goog d-goog

Labels
type: question Request for information or clarification. Not an issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antspy @d-goog