Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add GoogleAuth.sign() support to external account client #1227

Merged
merged 2 commits into from Aug 10, 2021
Merged

feat: add GoogleAuth.sign() support to external account client #1227

merged 2 commits into from Aug 10, 2021

Conversation

bojeil-google
Copy link
Contributor

External account credentials previously did not support signing blobs.
The implementation previously depended on service account keys or
the service account email in order to call IAMCredentials signBlob.

When service account impersonation is used with external account
credentials, we can get the impersonated service account email and
call the signBlob API with the generated access token, provided the
token has the iam.serviceAccounts.signBlob permission. This is
included in the "Service Account Token Creator" role.

Fixes #1215

@bojeil-google
feat: add GoogleAuth.sign() support to external account client
a299479 
External account credentials previously did not support signing blobs.
The implementation previously depended on service account keys or
the service account email in order to call IAMCredentials signBlob.

When service account impersonation is used with external account
credentials, we can get the impersonated service account email and
call the signBlob API with the generated access token, provided the
token has the `iam.serviceAccounts.signBlob` permission. This is
included in the "Service Account Token Creator" role.

Fixes #1215
@bojeil-google bojeil-google requested review from a team as code owners August 5, 2021 23:25
@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Aug 5, 2021
bcoe
bcoe approved these changes Aug 10, 2021
View reviewed changes
src/auth/baseexternalclient.ts Outdated Show resolved Hide resolved
@bojeil-google bojeil-google added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2021
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2021
@bojeil-google bojeil-google merged commit 1ca3b73 into googleapis:master Aug 10, 2021
gcf-owl-bot bot added a commit that referenced this pull request Sep 29, 2021
@gcf-owl-bot
build(node): run linkinator against index.html (#1227)
6928791 
Source-Link: googleapis/synthtool@d4236bb
Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-nodejs:latest@sha256:c0ad7c54b9210f1d10678955bc37b377e538e15cb07ecc3bac93cc7219ec2bc5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoe bcoe bcoe approved these changes

@silvolu silvolu silvolu approved these changes

Assignees

@bcoe bcoe

@silvolu silvolu

Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

GoogleAuth.sign does not work with ExternalCredentials
3 participants
@bojeil-google @bcoe @silvolu