impersonate service account and type jwt does not seem to work well together

[mzeo]

I'm trying something similar to:

oauth2l fetch --refresh --impersonate-service-account='xxxyyy@gke-accounts.iam.gserviceaccount.com' --type jwt --audience="https://google.com"

And I see the following error:

google: could not parse JSON key: google: read JWT from JSON credentials: 'type' field is "authorized_user" (expected "service_account")

It seems like no impersonated credentials are used in the JWT code path.

What I would like is the impersonated identity token (Patching JWTTokenSource with https://pkg.go.dev/google.golang.org/api/impersonate#IDTokenSource seems to give me what I'm looking for)

[andyrzhao]

Hi there, the "--impersonate-service-account" option only supports a very specific scenario, which is to exchange user creds with service account creds, so the input creds must be user creds (ex. client-id json, or gcloud refresh token) with implicit type "oauth". At the same time, the "--type jwt" option expects the input creds to be service account creds, and generates a self-signed jwt based off of that (and returns the error you see if the input is incompatible). These two options are mutually exclusive.

I'm not familiar with impersonating IDTokenSource (and have not worked in this space for a while). Feel free to make a proposal on how this might be supported in the oauth2l tool (with input/output examples), and the maintainers can see if support could be added.

Cheers~