Skip to content

Commit

Permalink
fix(auth): use the full format for the JWT payload in IAPToken
Browse files Browse the repository at this point in the history 
Some of the GCP products when retrieving the JWT token from the GCE
Metadata Server come with the `email` claim, but some have recently
started not returning that claim as part of the JWT payload. Adding the
`format=full` query parameter to the GCE Metdata Server API seems to
return the `email` claim for these cases, along with other GCE Metadata
which for the time being we do not need and thus, we discard.

[See these docs for more
information.](https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature)
  • Loading branch information
@juanamari94
juanamari94 committed Jun 13, 2024
1 parent 811d8e4 commit 373225a
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion auth/gcloud/aio/auth/token.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
)
GCE_ENDPOINT_ID_TOKEN = (
f'{GCE_METADATA_BASE}/instance/service-accounts'
'/default/identity?audience={audience}'
'/default/identity?audience={audience}&format=full'
)
GCLOUD_ENDPOINT_GENERATE_ACCESS_TOKEN = (
'https://iamcredentials.googleapis.com'
Expand Down

0 comments on commit 373225a

Please sign in to comment.