Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support domain-wide delegation without downloaded service account keys #1064

Open
weiminyu opened this issue Oct 21, 2022 · 3 comments
Open

Support domain-wide delegation without downloaded service account keys #1064

weiminyu opened this issue Oct 21, 2022 · 3 comments
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@weiminyu
Copy link

weiminyu commented Oct 21, 2022
edited

Problem Summary
Currently we create delegated credentials using downloaded ServiceAccount keys.

We learned that the python auth library supports using the Application Default Credential (ADC)
to generate delegated credentials, thus avoiding private key downloads which is a security risk.
The java library apparently does not support this feature.

Use Case Details
We have a service account S, that has domain-wide delegation permission our our domain as user U.
We have downloaded a ServiceAccount key for S, and use it to create delegated credentials:

GoogleCredentials.fromStream(text-fetched-from-db)
   .createDelegated("user-U@our-domain.co")
   .createScoped(...);

The python library shows that it is possible to use the ADC to generate a credential for S. A detailed example
can be found here. If this is supported in the java library, presumably the new code would look like below.
The only requirement is for the ADC to have token creator permission on service account S.

SomeCredentials.newBuilder()
   .setSigner(GoogleCredentials.getApplicationDefault())
   .setIssuer(service-account-S-email)
   .createDelegated(user-U@our-domain.co)
   .createScoped(...);

Edited on Oct 24: I was wrong saying it is possible to "use the ADC to generate a credential for S". What can be done is
as follows:

  • Domain-wide delegation needs to be granted to the ADC, we can no longer use the service account S.
  • The above being done, we can use the ADC to sign an access token for itself. We verified that this doable with AppEngine and Java using a hacked version of ServiceAccountCredentials.java
@clundin25 clundin25 added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Nov 8, 2022
@gaurav517
Copy link

Is there a workaround for this? Any other library suggestion that can help? We don't want to use service account keys to create delegated credentials. I know that with node/typescript client, we don't have to use json keys to use a service account domain-wide-delegation in GKE environment. It would be nice to have that support here too.

@weiminyu
Copy link
Author

weiminyu commented Jul 6, 2023

@gaurav517 We ended up using a custom implementation. We started with a copy of ServiceAccountCredentials.java, and only had to make very few changes:
https://github.com/google/nomulus/blob/master/core/src/main/java/google/registry/config/DelegatedCredentials.java

@czp3009
Copy link

czp3009 commented May 8, 2024

any update? i really need this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@weiminyu @gaurav517 @czp3009 @clundin25