Open weiminyu opened 1 year ago
gaurav517
commented
1 year ago Is there a workaround for this? Any other library suggestion that can help? We don't want to use service account keys to create delegated credentials. I know that with node/typescript client, we don't have to use json keys to use a service account domain-wide-delegation in GKE environment. It would be nice to have that support here too.
weiminyu
commented
1 year ago @gaurav517 We ended up using a custom implementation. We started with a copy of ServiceAccountCredentials.java, and only had to make very few changes: https://github.com/google/nomulus/blob/master/core/src/main/java/google/registry/config/DelegatedCredentials.java
czp3009
commented
4 months ago any update? i really need this
slatkovic
commented
3 months ago +1
sheltoncardin
commented
1 week ago +1
Problem Summary Currently we create delegated credentials using downloaded ServiceAccount keys.
We learned that the python auth library supports using the Application Default Credential (ADC) to generate delegated credentials, thus avoiding private key downloads which is a security risk. The java library apparently does not support this feature.
Use Case Details We have a service account S, that has domain-wide delegation permission our our domain as user U. We have downloaded a ServiceAccount key for S, and use it to create delegated credentials:
The python library shows that it is possible to use the ADC to generate a credential for S. A detailed example can be found here. If this is supported in the java library, presumably the new code would look like below. The only requirement is for the ADC to have token creator permission on service account S.
Edited on Oct 24: I was wrong saying it is possible to "use the ADC to generate a credential for S". What can be done is as follows: