GCP IAP Java example returning ComputeEngineCredentials instead of ServiceAccountCredentials

2
votes

Context

I have some services in Google AppEngine Flexible environment communicating through APIs, and while I am using IAP for managing user access. I have to programmatically authenticate each service with the Bearer JWT token.

Problem

In my Java Application, I am using the code google is providing to authenticate IAP services, that you can find here: https://cloud.google.com/iap/docs/authentication-howto#iap_make_request-java

The problem is in this block of code:

GoogleCredentials credentials =
    GoogleCredentials.getApplicationDefault().createScoped(Collections.singleton(IAM_SCOPE));
// service account credentials are required to sign the jwt token
if (credentials == null || !(credentials instanceof ServiceAccountCredentials)) {
  throw new Exception("Google credentials : service accounts credentials expected");
}
return (ServiceAccountCredentials) credentials;

The createScoped method is returning a ComputeEngineCredentials while the code is expecting a ServiceAccountCredentials response object.

All the suggestions are welcome. Thanks in advance for the greatest community ever.

1
javagoogle-app-enginegoogle-cloud-platformgoogle-iap
This is occuring because I am running my Java service in flexible environment: github.com/googleapis/google-auth-library-java/blob/master/… But then, how can we authenticate in the Java flexible environment ??Mehdi Benmoha
I think that the only way, is to use a json service account file...Mehdi Benmoha
I have come upon the same problem. I am able to get the correct ServiceAccountCredentials if I have the environment variable set that points to a local json credentials file for the service account I am trying to impersonate (even if it is the compute engine default service account). This happens on a compute engine instance. Were you able to get past the problem?Vee6
I was not trying to impersonate the authentication, I was just trying to authenticate without having to provide the JSON fileMehdi Benmoha

1 Answers

0
votes

You do not actually mention the nature of the difficulty you are faced with. The App Engine flexible environment service account is automatically created in a GCP project. Do you try to create the App Engine flexible environment service account is a separate service account from the App Engine default service account. The "return (ServiceAccountCredentials) credentials;" statement uses a cast to return ServiceAccountCredentials; it should be fine.

Line: GoogleCredentials.getApplicationDefault().createScoped(Collections.singleton(IAM_SCOPE) creates a GoogleCredentials object, it does not need a JSON service account file to succeed.