Skip to content

impersonate service account and type jwt does not seem to work well together #165

Description

@mzeo

I'm trying something similar to:

oauth2l fetch --refresh --impersonate-service-account='xxxyyy@gke-accounts.iam.gserviceaccount.com' --type jwt --audience="https://google.com"

And I see the following error:

google: could not parse JSON key: google: read JWT from JSON credentials: 'type' field is "authorized_user" (expected "service_account")

It seems like no impersonated credentials are used in the JWT code path.

What I would like is the impersonated identity token (Patching JWTTokenSource with https://pkg.go.dev/google.golang.org/api/impersonate#IDTokenSource seems to give me what I'm looking for)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions