Generate JWT with Application default credentials
2,211 views
Skip to first unread message
Dariusz Sobiechowski
Feb 15, 2021, 5:52:53 PM2/15/21
to Google Cloud Endpoints
Hi All,
Do you know simply way how to generate and sign JWT token using ADC when python code is running on compute with service account ?
Do you know simply way how to generate and sign JWT token using ADC when python code is running on compute with service account ?
I found google libraries :
import google.auth.crypt
import google.auth.jwt
However do not see an option to use ADC to avoid passing service account details "manually"
Thanks
Dariusz
Wayne Zhang
Feb 15, 2021, 6:42:48 PM2/15/21
to Dariusz Sobiechowski, Google Cloud Endpoints
If you are running in GCP, you can talk to Google Metadata server to get the access token for the service account deployed GCP.
Here is simple python code on how to call Metadata server.
This acess_token can only be used for calling Google API.
Thanks
-Wayne
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/7c3a3592-e4dd-4853-b0e5-250c87196bfen%40googlegroups.com.
Message has been deleted
Dariusz Sobiechowski
Feb 15, 2021, 6:47:29 PM2/15/21
to Google Cloud Endpoints
Hi
I will be able to generate it ?
So if i have security definition like that:
securityDefinitions:
auth1:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "test@test_project.iam.gserviceaccount.com"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/ test@test_project.iam.gserviceaccount.com "
x-google-audiences: "https://test-url.com"
My understanding it that i need to create token and sign it by my own so i need private key to get. I tried to get token from metadata (in JWT format) and issuer is "iss": "https://accounts.google.com",
so i cannot control access level
so i cannot control access level
Wayne Zhang
Feb 15, 2021, 7:10:07 PM2/15/21
to Dariusz Sobiechowski, Google Cloud Endpoints
If you want to pass JWT to ESP, the access token from GCP metadata server should not be used. You can follow this doc to generate JWT token for ESP
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/a705dd52-ee4a-4dfa-8bd9-ba94242bc658n%40googlegroups.com.
Dariusz Sobiechowski
Feb 15, 2021, 7:13:19 PM2/15/21
to Google Cloud Endpoints
Hello Wayne,
Thanks for quick answer. Indeed i found that documentation and trying to follow. It works fine locally when JSON is available for me (downloaded from GCP side)
Thanks for quick answer. Indeed i found that documentation and trying to follow. It works fine locally when JSON is available for me (downloaded from GCP side)
But my use case is to make valid call from GCP Compute and Airflow where service account is assigned - and i do not know know how to get "sa_keyfile" - tried with ADC but no luck.
I am sure google has some methods to do it programmatically but i think is not documented.
Thank you in advance for your help
Teju Nareddy
Feb 15, 2021, 10:33:18 PM2/15/21
to Dariusz Sobiechowski, Google Cloud Endpoints
> I tried to get token from metadata (in JWT format) and issuer is "iss": "https://accounts.google.com", so i cannot control access level
Can you explain this statement? I don't see what's wrong with having that "iss" field. You can still control access level because:
- The "sub" field will have the name of the service account that created the ID token
- The "aud" field will have the name of the API the token is intended for
Using the instance metadata service to verify the identity of calling users is documented here.
Perhaps you're getting JWT Authentication and Authorization mixed up? ESPv2 will verify the JWT (ensures the claims are backed by the signature). Your backend can then read the verified token and decide how to handle the API call based on the values in the "sub" and "aud" claims.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/d44c7748-a67a-409c-8165-09d855c2e590n%40googlegroups.com.
Dariusz Sobiechowski
Feb 15, 2021, 11:08:27 PM2/15/21
to Google Cloud Endpoints
Hello Teju,
My concern is when i put in security definition something like that (to allow compute / airflow make valid call)
auth1:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://accounts.google.com"
x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
x-google-audiences: "test.com"
I can imagine situation that bad actor will generate token and would be able to make a call as accounts.google.com is present always when google signs token.
So in my opinion, the best way is add something like that to let ESP verify ISS and certificate in metadata
auth1:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "test@test_project.iam.gserviceaccount.com"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/ test@test_project.iam.gserviceaccount.com "
x-google-audiences: "https://test-url.com"
to allow my account get it. One problem what i have is generate token on GCP environment such us airflow or compute node.
hm i though that sub is not checked by esp. Should i add any x-google extension ?
Wayne Zhang
Feb 15, 2021, 11:22:13 PM2/15/21
to Dariusz Sobiechowski, Google Cloud Endpoints
Yes, you are correct. "sub" is not checked by ESP
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/dd7f5d41-e31b-4ca2-9f02-2895f6b994d8n%40googlegroups.com.
Dariusz Sobiechowski
Feb 16, 2021, 2:47:17 AM2/16/21
to Google Cloud Endpoints
I have opened ticket on google support to find way to generate the token but any idea are more than welcome
Reply all
Reply to author
Forward
0 new messages