Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question]: account impersonation auth flow #212

Open
ken-scarf opened this issue Mar 8, 2025 · 1 comment
Open

[Question]: account impersonation auth flow #212

ken-scarf opened this issue Mar 8, 2025 · 1 comment

Comments

@ken-scarf
Copy link

How do I use this library to make impersonated requests? Here's an example of what I want to do

gcloud storage ls gs://[BUCKET_NAME] --impersonate-service-account=[SERVICE_ACCOUNT_EMAIL]

From what I've gathered so far I need to generate a token with Gogol.IAMCredentials.Projects.ServiceAccounts.GenerateAccessToken.newIAMCredentialsProjectsServiceAccountsGenerateAccessToken. I assume I need to construct a Credential using the access token I got. I tried constructing it authToAuthorizedUser but it fails because it requires a refresh token. Any help would be appreciated
@ken-scarf ken-scarf changed the title account impersonation auth flow [Question]: account impersonation auth flow Mar 8, 2025
@ken-scarf
Copy link
Author

ken-scarf commented Mar 9, 2025
edited
Loading

This is the modification I did to my fork to bypass a token refresh and use the impersonated access token

diff --git a/lib/gogol/src/Gogol/Auth.hs b/lib/gogol/src/Gogol/Auth.hs
index bbe4e40b8..054e019f5 100644
--- a/lib/gogol/src/Gogol/Auth.hs
+++ b/lib/gogol/src/Gogol/Auth.hs
@@ -183,6 +183,13 @@ exchange c l = fmap (Auth c) . action l
       FromClient x n -> exchangeCode x n
       FromUser u -> authorizedUserToken u Nothing
       FromTokenFile f -> \_l _m -> readTokenFile f
+      FromAccountImpersonation accessToken tokenExpiry ->
+        \_logger _manager ->
+          pure $ OAuthToken
+            { _tokenAccess = accessToken,
+              _tokenRefresh = Nothing,
+              _tokenExpiry = tokenExpiry
+            }

 -- | Refresh an existing 'OAuthToken'.
 refresh ::
@@ -200,6 +207,13 @@ refresh (Auth c t) l = fmap (Auth c) . action l
       FromClient x _ -> refreshToken x t
       FromUser u -> authorizedUserToken u (_tokenRefresh t)
       FromTokenFile f -> \_l _m -> readTokenFile f
+      FromAccountImpersonation accessToken tokenExpiry ->
+        \_logger _manager ->
+          pure $ OAuthToken
+            { _tokenAccess = accessToken,
+              _tokenRefresh = Nothing,
+              _tokenExpiry = tokenExpiry
+            }

 -- | Apply the (by way of possible token refresh) a bearer token to the
 -- authentication header of a request.
diff --git a/lib/gogol/src/Gogol/Internal/Auth.hs b/lib/gogol/src/Gogol/Internal/Auth.hs
index 9eaba956e..2a246f75b 100644
--- a/lib/gogol/src/Gogol/Internal/Auth.hs
+++ b/lib/gogol/src/Gogol/Internal/Auth.hs
@@ -71,6 +71,7 @@ data Credentials (s :: [Symbol])
     -- of the Google CloudSDK Tools.
     FromUser !AuthorizedUser
   | FromTokenFile !FilePath
+  | FromAccountImpersonation !AccessToken !UTCTime

 -- | Service Account credentials which are typically generated/download
 -- from the Google Developer console of the following form:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ken-scarf