Auth without a service account? #99
Comments
|
As you indicated, it does not need to be required, so I will modify it to optional. |
|
Thank you! We regularly use Service Account impersonation for our development flows so this would be a great feature/improvement for us. |
|
I removed the dependency for google-cloud-auth and published the new version. |
|
@yoshidan I'm sorry for my late response. I ran a small test whose source I've included below for future readers' convenience. It seems to work really well! Great job and thank you! I did encounter one behavior that concerned me, though. GCP allows you to change the application default credentials (ADC) in a few ways. One of them is using a flow like gcloud config set auth/impersonate_service_account $SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.comfollowed by gcloud auth application-default loginand, assuming that the original user executing these commands has the Service Account Token Creator role (I think) then the {
"delegates": [],
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com:generateAccessToken",
"source_credentials": {
"client_id": "$IMACLIENTID",
"client_secret": "$IMASECRET",
"refresh_token": "$IMAREFRESHTOKEN",
"type": "authorized_user"
},
"type": "impersonated_service_account"
}However, I'm finding that this authorization flow is not supported by $ ./target/debug/google_cloud_storage
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: "failed to get cloud storage client: unsupported account impersonated_service_account"', src/main.rs:15:14
note: run with `RUST_BACKTRACE=1` environment variable to display a backtraceThe error message is clear: $ cat src/main.rs
use google_cloud_default::WithAuthExt;
use google_cloud_storage::client::ClientConfig;
fn main() {
let rt = tokio::runtime::Builder::new_multi_thread()
.enable_all()
.build()
.unwrap();
let client = rt.block_on(async {
let cfg = ClientConfig::default()
.with_auth()
.await
.map_err(|e| format!("failed to get cloud storage client: {}", e))
.unwrap();
return google_cloud_storage::client::Client::new(cfg);
});
let req = google_cloud_storage::http::objects::list::ListObjectsRequest {
bucket: "$MY_BUCKET".to_string(),
max_results: Some(10),
prefix: Some("a".to_string()),
..Default::default()
};
let res = rt.block_on(client.list_objects(&req, None)).unwrap();
for item in res.items.unwrap() {
println!("item {}: md5: {}", item.name, item.md5_hash.unwrap())
}
}and a $ cat Cargo.toml
[package]
name = "google_cloud_storage"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
google-cloud-default = { version = "0.1.0", features = ["storage"] }
google-cloud-storage = { version = "0.9.0", features = ["default"] }
tokio = { version = "1.26.0", features = ["rt", "macros", "rt-multi-thread", "time", "sync"] } |
|
I may be slow to respond since I'm no longer rely\ing on |
It seems that it's required to be using a service account for interacting with Cloud Storage. Is my understanding wrong?
Google's official SDKs allow authenticating without providing service account credentials so are you open to changing the behavior of (at least)
google-cloud-storageto allow for creating aClientwithout using a service account?The text was updated successfully, but these errors were encountered: