Skip to content

Breaking changes for impersonated_credentials between 1.6.3 and 1.7.0+ #416

New issue
New issue
Closed
#451
Closed
Breaking changes for impersonated_credentials between 1.6.3 and 1.7.0+#416
#451
Assignees
busunkim96
Labels
🚨This issue needs some love.priority: p1Important issue which blocks shipping the next release. Will be fixed prior to next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@jonas-p

Description

@jonas-p
jonas-p
opened on Dec 19, 2019

Environment details

  • OS: MacOS Mojave
  • Python version: 3.7.3
  • pip version: 19.0.3
  • google-auth version: 1.6.3, 1.7.0, 1.10.0

The default credentials are my user credentials (with the ServiceAccountTokenCreator role on the service account).

Steps to reproduce

The following code works and produces a valid access token for the service account in version 1.6.3.

from google.auth import impersonated_credentials, default
from google.auth.transport.requests import Request

sa = "<sa>@<project>.iam.gserviceaccount.com"
source_credentials, _ = default()
scopes = ["https://www.googleapis.com/auth/cloud-platform"]
creds = impersonated_credentials.Credentials(
    source_credentials=source_credentials, target_principal=sa, target_scopes=scopes
)

creds.refresh(Request())
print(creds.token)

After upgrading to 1.10.0, it fails to authenticate the service account due to invalid scopes.

Traceback (most recent call last):
  File "main.py", line 13, in <module>
    creds.refresh(Request())
  File "/google/lib/python3.7/site-packages/google/auth/impersonated_credentials.py", line 218, in refresh
    self._update_token(request)
  File "/google/lib/python3.7/site-packages/google/auth/impersonated_credentials.py", line 234, in _update_token
    self._source_credentials.refresh(request)
  File "/google/lib/python3.7/site-packages/google/oauth2/credentials.py", line 152, in refresh
    self._scopes,
  File "/google/lib/python3.7/site-packages/google/oauth2/_client.py", line 241, in refresh_grant
    response_data = _token_endpoint_request(request, token_uri, body)
  File "/google/lib/python3.7/site-packages/google/oauth2/_client.py", line 115, in _token_endpoint_request
    _handle_error_response(response_body)
  File "/google/lib/python3.7/site-packages/google/oauth2/_client.py", line 60, in _handle_error_response
    raise exceptions.RefreshError(error_details, response_body)
google.auth.exceptions.RefreshError: ('invalid_scope: Bad Request', '{\n  "error": "invalid_scope",\n  "error_description": "Bad Request"\n}')

I traced this back to an google-auth upgrade from 1.6.3 to 1.7.0 (same error occurs).

Metadata

Metadata

Assignees

Labels

🚨This issue needs some love.priority: p1Important issue which blocks shipping the next release. Will be fixed prior to next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions