This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

fetch_id_token (or equivalent) locally with gcloud (non-default) configurations

Posted on 05-11-2023 06:44 AM
david-cs
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

How do I get the current gcloud configuration user/service account's id token in python?

I'm using gcloud configurations to handle my CLI access. (switching between them with `gcloud config configurations activate <env_name>`). I'm NOT using `GOOGLE_APPLICATION_CREDENTIALS` env var at all as I want to be able to switch between configurations/projects/accounts.

It works well with resources like `google.cloud.firestore.Client()` which takes the current configuration .

I'm trying to have authenticated calls between my (python) cloud functions.
When I try to get the token using -

```python
auth_req = google.auth.transport.requests.Request()
id_token = google.oauth2.id_token.fetch_id_token(auth_req, audience)
```

I'm getting `google.auth.exceptions.DefaultCredentialsError: Neither metadata server or valid service account credentials are found.` I'll note that in a real cloud function `fetch_id_token` works.

I am able to get the token using cli command `gcloud auth print-identity-token`, but I want to get it using the python google auth library so it will work on both my local machine (using functions-framework) and in a real cloud function.

Is it possible? am I approaching all of this in a wrong way?


btw I'm using a Linux machine.

 

0 2 5,931
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
nicola_spreafic
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello,

I had the very same problem couple weeks as I found myself hitting the error you reported
`google.auth.exceptions.DefaultCredentialsError: Neither metadata server or valid service account credentials are found`
This method works very well once deployed because the internal metadata server take care of generating the needed token, but, as you can image, it is not available on your local machine.

The only solution out of the box to generate locally this token is the gcloud command you suggested
The one thing I found out is that the gcloud command you correctly found `gcloud --verbosity debug auth print-identity-token` does an url fetch under the hood
```
> gcloud --verbosity debug auth print-identity-token

DEBUG: Running [gcloud.auth.print-identity-token] with arguments: [--verbosity: "debug"]
DEBUG: Making request: POST https://www.googleapis.com/oauth2/v4/token
DEBUG: Starting new HTTPS connection (1): www.googleapis.com:443
DEBUG: https://www.googleapis.com:443 "POST /oauth2/v4/token HTTP/1.1" 200 None
INFO: Display format: "value(id_token)"
eyJ************OQ
```
Which is the way to manually create an idToken

Als, if you try to manually validate that token `https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=ey*************OQ` you will find that the it is properly assigned to your own user
```
{
"issued_to": "*****",
"audience": "*****",
"user_id": ""*****",
"expires_in": 3497,
"email": ""*****",
"email_verified": true,
"issuer": "https://accounts.google.com",
"issued_at": "*****
}
```

While the gloud log give an hint on which endpoint is to be used from local to obtain the token, it does not provide information on how to make the call, I guess that there is some sort of JWT to be signed locally and then sent to the endpoint in order to exchange an identity token.

I find this answer where you can create and sign a jwt to obtain the token without a metadata server, but it uses a service-account json credential in order to make the signature:
https://stackoverflow.com/questions/72862609/unexpected-response-from-https-www-googleapis-com-oauth...
So i guess that the generate token will be on behalf of that service account, not your personal user.

For the moment I only have 2 bad way to do this:
- storing a service account key in the Secret Manager and read it locally to create the token
- this is even worst, launch a shell command for the idtoken and wrap it inside your own function code

At the end I did not find a solution, so if other users will reply with something useful I will also be glad.

0 Likes

Posted on --/--/---- --:-- AM
david-cs
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I’ve put some more info about this issue on this answer https://stackoverflow.com/a/76229147/1205281

hope it will be helpful

0 Likes
Top Solution Authors
View all