google-auth-library-python
google-auth-library-python copied to clipboard
Published
20 hours ago •
googleapis
googleapis
OAuthError due to missing scope(s) when authenticating using ADC Workload Federation OIDC credentials
Environment details
- OS: Linux
- Python version: 3.13.2
- pip version: 24.3.1
google-authversion: 2.38.0
Steps to reproduce
- Run a python docker container (version above)
- Have valid OIDC credential configuration file path configured as
GOOGLE_APPLICATION_CREDENTIALSenvironment variable (see below, validated usinggcloud auth application-default print-access-tokenseparately, authentication works fine) - in our case this refers to a EKS OIDC token - Configure
GOOGLE_CLOUD_PROJECTandGOOGLE_CLOUD_REGIONenvironment variables - Run
pip install vertex-ai - run
python test.py(code see below) - Observe authentication error (see below)
GOOGLE_APPLICATION_CREDENTIALS file content
{
"universe_domain": "googleapis.com",
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<redacted>/locations/global/workloadIdentityPools/<redacted>/providers/<redacted>",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/var/run/secrets/eks.amazonaws.com/serviceaccount/token",
"format": {
"type": "text"
}
},
"token_info_url": "https://sts.googleapis.com/v1/introspect"
}
Example project (test.py)
import vertexai
from vertexai.preview.generative_models import GenerativeModel
vertexai.init()
model = GenerativeModel('gemini-pro')
response = model.generate_content('Say hi')
print(response.text)
Error message
File "/usr/local/lib/python3.13/site-packages/google/auth/transport/requests.py", line 533, in request
self.credentials.before_request(auth_request, method, url, request_headers)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/site-packages/google/auth/credentials.py", line 239, in before_request
self._blocking_refresh(request)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
File "/usr/local/lib/python3.13/site-packages/google/auth/credentials.py", line 202, in _blocking_refresh
self.refresh(request)
~~~~~~~~~~~~^^^^^^^^^
File "/usr/local/lib/python3.13/site-packages/google/auth/external_account.py", line 437, in refresh
response_data = self._sts_client.exchange_token(
request=request,
...<7 lines>...
additional_headers=additional_headers,
)
File "/usr/local/lib/python3.13/site-packages/google/oauth2/sts.py", line 160, in exchange_token
return self._make_request(request, additional_headers, request_body)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/site-packages/google/oauth2/sts.py", line 88, in _make_request
utils.handle_error_response(response_body)
~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/site-packages/google/oauth2/utils.py", line 168, in handle_error_response
raise exceptions.OAuthError(error_details, response_body)
google.auth.exceptions.OAuthError: ('Error code invalid_request: Scope(s) must be provided.', '{"error":"invalid_request","error_description":"Scope(s) must be provided."}')
I have noted a similar bug report for grpc: https://github.com/grpc/grpc-go/issues/7886
