search

googleapis / google-api-nodejs-client

Google's officially supported Node.js client library for accessing Google APIs. Support for authorization and authentication with OAuth 2.0, API Keys and JWT (Service Tokens) is included.
https://googleapis.dev/nodejs/googleapis/latest/
Apache License 2.0
11.42k stars 1.92k forks source link

Domain-wide Delegation only works when providing credentials via `keyFile` #3107

Open ErikCoup opened 1 year ago

ErikCoup commented 1 year ago

It seems that making API calls (e.g., to the Google Drive API) impersonating another user via Domain-Wide Delegation only works when creating a client using the keyFile option (and not when relying on automatically provided auth credentials).

Specifically, I am trying to call the Google Drive API from a Google Cloud Function. I rely on the "Default App Engine Service Account" for authorizing my client:

// here, credentials are automatically obtained by getClient:
const auth = await google.auth.getClient({
  clientOptions: {
    subject: 'email@to.impersonate',
  },
  scopes: [ /* list of required scopes */ ],
});
const driveAPI = google.drive({ version: 'v3', auth });

// make some requests - however, they are NOT made by  'email@to.impersonate',
// but by the Default App Engine Service Account :(

The above code works, but requests are not made as email@to.impersonate, but instead as the Default App Engine Service Account. To be clear, I have configured Domain-Wide Delegation for the Default App Engine Service Account in the Google Workspaces Admin UI (https://admin.google.com).

Now, the above code does work once I slightly extend it by providing the Default App Engine Service Account's credentials via the keyFile option:

// here, credentials are explicitly provided via keyFile:
const auth = await google.auth.getClient({
  clientOptions: {
    subject: 'email@to.impersonate',
  },
  keyFile: './path/to/keyFile.json',
  scopes: [ /* list of required scopes */ ],
});
const driveAPI = google.drive({ version: 'v3', auth });

// make some requests - they are now made as 'email@to.impersonate' :)

Ideally, I'd like to avoid having to manually provide the Default App Engine Service Account credentials using a file.

It seems this issue was mentioned as part of discussions around https://github.com/googleapis/google-auth-library-nodejs/issues/916, specifically in this comment https://github.com/googleapis/google-auth-library-nodejs/issues/916#issuecomment-1080595410.

Environment details

pwambach commented 1 year ago

I'm having the same issue. Very frustrating. Any progress on this one?

Schmale97 commented 1 year ago

I have also ran into this issue

tzappia commented 3 months ago

If you've landed here it's good to know that others have contributed some code for a functional workaround in the above mentioned thread, starting here: https://github.com/googleapis/google-auth-library-nodejs/issues/916#issuecomment-2068887740