Use user account Credential for reaching private Cloud Run/Cloud Functions

问题

Here my use case.

• I already have a Cloud Run service deployed in private mode. (same issue with Cloud Function)
• I'm developing a new service that use this Cloud Run. I use the default credential in the application for the authentication. It worked on Compute Engine and on Cloud Run because the default credential is gotten from the metadata server.

But, on my local environment, I need to use a service account key file for achieving this. (for example, when I set the GOOGLE_APPLICATION_CREDENTIALS env var)

However, I can't use my user account credential.

The log trace are very clear in Java, Node or Go: impossible to generate an identity token on a user credential type.

So,

• why google auth library doesn't allow to do this?
• Why Google Front End accept only Google signed identity token?
• Is a workaround exist for continuing to use the user account?

And a piece of context: we want to avoid to use service account key file. Today, it's our major security breach (files are copied, sent by email, even committed on Github publicly...). The user account default credential work with all Google Cloud API but not with IAP and CLoud Run/Functions.

EDIT

Here some example of error.

JAVA

I do this

        Credentials credentials = GoogleCredentials.getApplicationDefault().createScoped("https://www.googleapis.com/auth/cloud-platform");

        IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
                .setIdTokenProvider((IdTokenProvider) credentials)
                .setTargetAudience(myUri).build();

        HttpRequestFactory factory = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(idTokenCredentials));

And my user credential is not compliant with IdTokenProvider interface

Caused by: java.lang.ClassCastException: class com.google.auth.oauth2.UserCredentials cannot be cast to class com.google.auth.oauth2.IdTokenProvider (com.google.auth.oauth2.UserCredentials and com.google.auth.oauth2.IdTokenProvider are in unnamed module of loader 'app')

NODE

With node, this code work with a service account

    const {GoogleAuth} = require('google-auth-library');
    const auth = new GoogleAuth()
    const client = await auth.getIdTokenClient(url);
    const res = await client.request({url});
    console.log(res.data);

But with my user account, I got this error

Error: Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to a service account credentials JSON file.
    at GoogleAuth.getIdTokenClient(....)

回答1:

gcloud auth activate-service-account --key-file is only for "you" running gcloud commands, it won’t be picked up by "applications" that need GOOGLE_APPLICATION_CREDENTIALS.

As you can see from Invoke a Google Cloud Run from java or How to call Cloud Run from out side of Cloud Run/GCP?, you either need to have the JSON key file of Service Account, or have to be running inside a GCE/GKE/Cloud Run/App Engine/GCF instance.

For this to work on your local environment, I recommend logging in with gcloud auth application-default login command (this command is meant to work like as if you’ve set GOOGLE_APPLICATION_CREDENTIALS locally). Let me know if this works.

If that doesn't work, as a last resort you can refactor your code to pick up identity token from an environment variable (if set) while working locally, such as:

$ export ID_TOKEN="$(gcloud auth print-identity-token -q)"
$ ./your-app

Appendix

Per Guillaume's request "how does this gcloud auth print-identity-token work with my personal Google credentials"?

Here's how:

1. gcloud is an OAuth client registered to Google, to get a JWT token you either need to work inside a GCE/GCF/GKE/GAE/CR environment OR have an OAuth app.

2. gcloud issues a request like this:

   POST https://www.googleapis.com/oauth2/v4/token
   

   with body:

   grant_type=refresh_token&client_id=REDACTED.apps.googleusercontent.com&client_secret=REDACTED&refresh_token=REDACTED
   

   Most likely client_id and client_secret values are the same for us because they are gcloud’s. However, it exchanges your refresh_token with a new token.

3. The /token response will contain an access_token and id_token. e.g.:

   {
   "access_token": ".....",
   "id_token": "eyJhbG....."
   "expires_in": 3599,
   "scope": "https://www.googleapis.com/auth/userinfo.email 
   https://www.googleapis.com/auth/appengine.admin 
   https://www.googleapis.com/auth/compute 
   https://www.googleapis.com/auth/cloud-platform 
   https://www.googleapis.com/auth/accounts.reauth openid",
   "token_type": "Bearer",
   }
   

This is how gcloud prints an identity token for you.

If you are curious how does the code do it with a JSON key file, you’ll see something very similar. For example, in Go there's http://google.golang.org/api/idtoken package and you'll see a similar implementation there.

来源：https://stackoverflow.com/questions/61754530/use-user-account-credential-for-reaching-private-cloud-run-cloud-functions