New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default credentials on App Engine standard (Py3) do not support custom scopes #579
Comments
Hi @davidwtbuxton, I believe Compute Engine is the only one (that uses the metadata server) and prevents additional scopes. IIRC, NodeJS and possibly other language's auth libraries already allow scope changes for this type of credential. I think it would be appropriate to make that change here as well. If you are able to make a PR we would be happy to review. 😄 |
Thanks for the context @busunkim96 . I will go and test things for Compute Engine and Flex, and come back with a plan for how to add this feature. Obviously it would be great if we can avoid having more special cases. |
First thing I would like to do is change the
This would be a useful re-factor so that we can use the Then we can add support for scoped tokens on Python 3. Here are some ways of doing it:
I am slightly in favour of option 3. |
I also support option 3. This looks the most elegant. |
It would be preferable to fix this not just for App Engine, but also for Cloud Run, Cloud Functions, and GKE Workload Identity (all of which support scopes). So we should change the behavior of |
The module naming is a product of the time they were created. I believe GCE is the only one out of the bunch that disallows scope changes, so I vote for 2. NodeJS started to allow scopes in their compute credentials class last year. They have a note stating that it only works in some environments. See code and PR. I think we could do the same here? The scopes won't be respected by GCE, but should work as desired in other environments. |
@busunkim96 Thanks for pointers to the Node PR. I'll have a go at updating the compute engine credentials. |
@busunkim96 would it still work for default credentials however, by extension that |
@dinvlad Yes, option 2 would not change the order of tests done in |
Any updates on this? Thanks! |
Picking this up again. |
Part of #579 This helper is used with '?recursive=true' in one place, and can now be used by IDTokenCredentials for requests with query parameters to the metadata identity end-point. This change will allow making requests to the token end-point with '?scopes=..' query parameters.
I suppose I'm hitting the same issue on a GKE cluster with workload identity enabled. I can successfully authenticate and interact with any GCP services (GCS, BigQuery, etc), but trying to fetch data from Google Analytics fails with: |
Closing this issue because the original request about using scopes with default credentials is all good. Looks like the user guide in the documentation is currently out-of-date concerning the App Engine runtimes, but that can be moved to a new issue. https://google-auth.readthedocs.io/en/latest/user-guide.html Thanks, David |
The scopes available to this client depends on the scopes configured on the VM or the GKE Nodepool. Most of the time it is set to cloud-platform so it won't work for non Cloud APIs. You should be able to specify other scopes and it should work.
|
EDIT: OK I see, this was addressed in #633 it seems! |
@davidwtbuxton I seem to still run into this problem in python 37 when using default credentials:
When running on app engine standard env(Py3), I'm still getting "Request had insufficient authentication scopes." |
@lululi Please open new issue rather than commenting on closed issues (repo maintainers are more likely to miss comments on closed issues). Please review https://developers.google.com/calendar/auth for authenticating to the Calendar API. It's possible the calendar API method you are using requires additional scopes. |
Using the
google.auth.default()
helper to access credentials for the default service account on App Engine standard works great, but does not allow one to use auth scopes beyond the default scopes for the Python 3.7 and 3.8 runtimes. This is different to how the old 2.7 runtime works.This app works on 2.7, fails with an exception on 3.8:
On 3.8 the error is
The problem is that
google.auth.default()
returns an instance of the Compute Engine credentials for Python 3, and that class does not allow changing scopes.The credentials class uses the metadata service to get an access token. On App Engine standard the metadata service also allows one to request an access token with additional scopes (I haven't checked if this is also possible on Compute Engine or Flex). I have an implementation of
ServiceAccountCredentials
that supports requesting a token with additional scopes, which works on App Engine standard Python 3.https://gist.github.com/davidwtbuxton/525924b7f06f56b8530947d55bad1c21
With that code, the service discovery can request the required scopes:
It would be cool if we could get this supported using
google.auth.default()
for Python 3 on App Engine standard. In particular it simplifies a lot of code that may mess around loading credentials from a JSON file or similar.Would a PR for this feature be accepted?
Thanks,
David
The text was updated successfully, but these errors were encountered: