-
Notifications
You must be signed in to change notification settings - Fork 310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breaking changes for impersonated_credentials between 1.6.3 and 1.7.0+ #416
Comments
Facing the same issue. Seems to be related with the fact that A work around is to reset the scope of the source credential user_cred, _ = default()
credentials = Credentials(user_cred, sa, scopes)
credentials._source_credentials._scopes = user_cred.scopes
creds.refresh(Request()) |
Thanks @gpoulin - I confirmed the workaround as well. Seeing the exact same issue - macOS impersonated creds scopes break on google-auth>1.6.3 |
Adding some more context to this, the scope was always there but scopes were not actually requested until this change was made: |
Thank you all for the investigation and details you've provided. The general documentation for impersonated credentials lives here. These docs state that
As @gpoulin points out the scope is not mentioned on the list of OAuth2 scopes at https://developers.google.com/identity/protocols/googlescopes, but it may just be out of date. I will do some more investigation internally and update this issue. |
Alright, so I think I've figured out the root cause. Impersonated credentials modify the scope of the source credential. This follows the guide here.
Howecer google-auth-library-python/google/auth/impersonated_credentials.py Lines 224 to 252 in 31299e2
google-auth-library-python/google/oauth2/service_account.py Lines 232 to 239 in 31299e2
|
Environment details
google-auth
version: 1.6.3, 1.7.0, 1.10.0The default credentials are my user credentials (with the ServiceAccountTokenCreator role on the service account).
Steps to reproduce
The following code works and produces a valid access token for the service account in version 1.6.3.
After upgrading to 1.10.0, it fails to authenticate the service account due to invalid scopes.
I traced this back to an google-auth upgrade from 1.6.3 to 1.7.0 (same error occurs).
The text was updated successfully, but these errors were encountered: