cloud run authentication with user account

2
votes

As google documented, developers can use gcloud auth print-identity-token to generate a development-only id_token to authenticate to Cloud Run. If I base64 decode the resulting id_token, I can see the aud claim is set to 32555940559.apps.googleusercontent.com, which is the client_id of the google cloud sdk: enter image description here

Is this an exception to the rule outlined in service-to-service authentication, which says target_audience needs to be set to the url of the receiving service (e.g., https://xxxxx.run.app).Is aud and target_audience the same thing?

Lastly, is there an alternative way to authenticated with user account instead of service account, other than using googlecloudsdk (i.e. imaging gcloud auth print-identity-token doesn't exist)?

2
google-cloud-platformoauth-2.0google-cloud-rungoogle-cloud-sdk

2 Answers

5
votes

Yes, it's a real problem. I wrote 2 articles on IAM limitation and Service Account Credentials API, and I submitted 2 pull requests for the Google Auth Java library (I can share the link if you are interested).

Directly and easily, you can't. I provide workarounds in my article but not great enough to stop my discussions with Google now.

1
votes

You could use the following command:

gcloud auth application-default login

According to the documentation:

This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials.