google-api-nodejs-client icon indicating copy to clipboard operation
google-api-nodejs-client copied to clipboard
verified publisher icon googleapis

Domain-wide Delegation only works when providing credentials via `keyFile`

Open ErikCoup opened this issue 3 years ago • 3 comments

It seems that making API calls (e.g., to the Google Drive API) impersonating another user via Domain-Wide Delegation only works when creating a client using the keyFile option (and not when relying on automatically provided auth credentials).

Specifically, I am trying to call the Google Drive API from a Google Cloud Function. I rely on the "Default App Engine Service Account" for authorizing my client:

// here, credentials are automatically obtained by getClient:
const auth = await google.auth.getClient({
  clientOptions: {
    subject: '[email protected]',
  },
  scopes: [ /* list of required scopes */ ],
});
const driveAPI = google.drive({ version: 'v3', auth });

// make some requests - however, they are NOT made by  '[email protected]',
// but by the Default App Engine Service Account :(

The above code works, but requests are not made as [email protected], but instead as the Default App Engine Service Account. To be clear, I have configured Domain-Wide Delegation for the Default App Engine Service Account in the Google Workspaces Admin UI (https://admin.google.com).

Now, the above code does work once I slightly extend it by providing the Default App Engine Service Account's credentials via the keyFile option:

// here, credentials are explicitly provided via keyFile:
const auth = await google.auth.getClient({
  clientOptions: {
    subject: '[email protected]',
  },
  keyFile: './path/to/keyFile.json',
  scopes: [ /* list of required scopes */ ],
});
const driveAPI = google.drive({ version: 'v3', auth });

// make some requests - they are now made as '[email protected]' :)

Ideally, I'd like to avoid having to manually provide the Default App Engine Service Account credentials using a file.

It seems this issue was mentioned as part of discussions around https://github.com/googleapis/google-cloud-node-core/issues/536, specifically in this comment https://github.com/googleapis/google-cloud-node-core/issues/536.

Environment details

  • OS: Google Cloud functions
  • Node.js version: 16
  • npm version: 7 (?)
  • googleapis version: 105.0.0

ErikCoup avatar Nov 11 '22 09:11 ErikCoup

I'm having the same issue. Very frustrating. Any progress on this one?

pwambach avatar Apr 19 '23 16:04 pwambach

I have also ran into this issue

Schmale97 avatar Apr 27 '23 06:04 Schmale97

If you've landed here it's good to know that others have contributed some code for a functional workaround in the above mentioned thread, starting here: https://github.com/googleapis/google-auth-library-nodejs/issues/916#issuecomment-2068887740

tzappia avatar Jul 16 '24 00:07 tzappia