googleapis
Make the projectId optional for signing with IAM
Copied from original issue: https://github.com/stephenplusplus/google-auto-auth/issues/53
July 10, 2018 11:27 PM
The signWithApi method currently requires a projectId field:
_signWithApi (data, callback) {
if (!this.projectId) {
callback(new Error('Cannot sign data without a project ID.'));
return;
}
...
}
However, IAM's signBlob endpoint can be called without a projectId if necessary (using - as a wildcard):
/projects/-/serviceAccounts/${clientEmail}
Can we modify the implementation to default to - wildcard when a projectId is not given explicitly? This will greatly simplify the usage of the library in some high-level applications, such as firebase-admin.
Thanks for the tip, @hiranya911! We are actually going to deprecate google-auto-auth, so this will live on as a feature request for `google-auth-library.
@hiranya911 if there is no projectId available, I'm guessing that also means there's no email available. They would both come from the service account credentials either via a JSON file, or via the Compute metadata service. If someone wants to use the API like this - they would also have to provide the credential email for the service account, right?
Sorry for the delay. In the context I'm thinking of (Firebase server-side SDKs), a developer can provide a service account ID (i.e. client email) out of band. I'm not sure if there's a way to plumb that parameter down to this level though.
I think this can also help with issues like https://github.com/googleapis/nodejs-storage/issues/244
Hey @hiranya911 - I'll pick this up for you (a few years after the fact 😅). You are correct, projectId is not required for this request (in fact, adding a project id would be invalid according to the documentation). I'll create a PR shortly.
