google-auth-library-python icon indicating copy to clipboard operation
google-auth-library-python copied to clipboard

Published 20 hours ago verified publisher icon googleapis

PubSub client does not read domain delegated credentials

Open salrashid123 opened this issue 3 years ago • 2 comments

Credentials that are enabled for domain delegation is ignored with google-cloud-Pubsub (and possibly other gRPC based service clients).

THis is a relatively rare usecase but consider the snippet below.

the service account in question is enalbed by thw workspace admin to do domain_delegation over the scopes proved. The svc account assumes the identity of user1@domain and the credentials object contains that users' access_token.

I can use that client to access GCS _as [email protected]`

if i acquire the raw authorizedsession, i can access pubsub with direct API call

however, if i pass the credential into a pubsub client, it seems to reset and reacquire credentials representing the original service account.

I'm pretty sure thats the case here since as-is the snippet will fail but if enable the service account permissions ont he pubsub topic, the last step succeeds

project='your_project'

import google.auth
from google.oauth2 import service_account

target_scopes = ["https://www.googleapis.com/auth/cloud-platform",
                "https://www.googleapis.com/auth/admin.directory.user.readonly"]

credentials = service_account.Credentials.from_service_account_file(
    '/path/to/svc_account.json',
    scopes=target_scopes,
    subject='[email protected]')

from google.cloud import storage
client = storage.Client(project=project, credentials=credentials)
for b in client.list_buckets():
   print(b.name)


from google.cloud import pubsub_v1
from google.auth.transport.requests import AuthorizedSession
project_path = f"projects/{project}"
authed_session = AuthorizedSession(credentials)
response = authed_session.request('GET', 'https://pubsub.googleapis.com/v1/{}/topics'.format(project_path))
print(response.json())


# ## bug:
publisher = pubsub_v1.PublisherClient(credentials=credentials)
for topic in publisher.list_topics(request={"project": project_path}):
  print(topic.name)

google-api-core==2.0.1
google-api-python-client==2.24.0
google-auth==2.1.0
google-auth-httplib2==0.1.0
google-cloud-core==2.0.0
google-cloud-pubsub==2.9.0
google-cloud-storage==1.42.3

salrashid123 avatar Dec 20 '21 12:12 salrashid123

Hi @salrashid123,

Thanks for reporting this issue. I've labeled this as a feature request based on the comment in #580 :

there should be a separate feature request to allow impersonated_credentials itself to assume a user's identity (eg,
user1->impersonate(svc_account_A)-->domain_delgate(user2)->calendar_api

@arithmetic1728 Please could you take a look?

parthea avatar Dec 21 '21 12:12 parthea

sorry, i think i added in some confusion by adding the other reference.

I do think this issue is a bug where the pubsub client's handling of the delegated credentials is reset.

serviceAccount_A -> delegate(user_2) -> access pubsub (as user_2)

this flow works for GCS but not pubsub.

i filed the actual feature request from the comment in 580 here https://github.com/googleapis/google-auth-library-python/issues/930

salrashid123 avatar Dec 21 '21 14:12 salrashid123