Domain Wide Delegation not working on 2nd generation GAE (Python 3)

294 views
Skip to first unread message

Marc Fargas

unread,
Nov 10, 2018, 7:22:31 PM11/10/18
to Google App Engine
Hi,

I have a python app I want to deploy on App Engine (2nd Generation Python 3.7) on which I use a Service Account with Domain-wide delegation enabled to access user data.


Locally I do:

import google.auth
from apiclient.discovery import build

creds, project = google.auth.default(
    scopes=['https://www.googleapis.com/auth/admin.directory.user', ],
)
creds = creds.with_subject(GSUITE_ADMIN_USER)

service = build('admin', 'directory_v1', credentials=creds)

This works good and, as far as I know it is the current way to do this when using Application Default Credentials (locally I have GOOGLE_APPLICATION_CREDENTIALS defined).


Problem is on GAE, when deployed, the call to with_subject raises: AttributeError: 'Credentials' object has no attribute 'with_subject'

I have enabled Domain-wide delegation on the GAE service account already.


What is different between the GOOGLE_APPLICATION_CREDENTIALS I use locally and the ones in GAE when both are service accounts with domain-wide delegation?


Where is .with_subject() on GAE?


The creds object received is of type compute_engine.credentials.Credentials.


Thanks for the help,

Marc


PS: This is cross posted from StackOverflow, sadly could not get any help there in the past two days on this problem. [link]

PSS: Please add python37 as a suggested tag on the group!

George (Cloud Platform Support)

unread,
Nov 12, 2018, 4:24:07 PM11/12/18
to google-a...@googlegroups.com
Hello Marc, 

You seem to write on G Suite development matters; this forum is meant for Google Cloud Platform development. You may check the "G Suite Developer" page for specific help. 

If you intend to develop on GCP indeed, you may have a look at the "Setting Up Authentication for Server to Server Production Applications" page, or, for user authentication, to the "Users Python API Overview" page, depending on the appropriate use-case. 

This discussion group is oriented more towards general opinions, trends, and issues of general nature touching the app engine. For coding and programming architecture, you have taking the right approach, posting the issue in stackoverflow. 

You have posted a parallel question on stackoverflow; I think it is more effective following that post instead. We'll have a closer look as well. 
Reply all
Reply to author
Forward
0 new messages