2

We are having issues accessing the reseller api using service accounts. The example with client secrets work well, but we would need to deploy this in k8s (Kubernetes Engine) without the need to refresh the oauth session on a recurring basis (especially doing this once, as it is kinda hard in a docker container).

While there is a lot of documentation on how to do this with python we could not find any way of getting access using a service account.

We tried two accounts, the default compute engine one and one created directly for our use case. Both got the reseller scope in G Suite.

    https://www.googleapis.com/auth/apps.order,
    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/siteverification,

We keep getting "googleapi: Error 403: Authenticated user is not authorized to perform this action., insufficientPermissions" errors though when using

    client, err = google.DefaultClient(ctx, reseller.AppsOrderScope)
    if err != nil {
        log.Fatal("creating oauth client failed", zap.Error(err))
    }
    subs, err := client.Subscriptions.List().Do()
    if err != nil {
        log.Fatal("listing subscriptions failed", zap.Error(err))
    }

I read on a post on StackOverflow, that the Reseller API requires user impersonation but searching on this throughout Google and the oauth2 and client lib repos did not result in a way to do this. Python does this like described in the End-to-End Tutorial

    credentials = ServiceAccountCredentials.from_json_keyfile_name(
        JSON_PRIVATE_KEY_FILE, 
    OAUTH2_SCOPES).create_delegated(RESELLER_ADMIN_USER)

but for Go i could not find any documented way of doing this.

kwiesmueller
  • 190
  • 1
  • 11

2 Answers2

1

So few points here:

  • Reseller API only requires impersonation / domain-wide delegation when using a service account. In other words, the service account itself has no rights to call the API directly but it does have the ability to impersonate a reseller user (e.g. admin@reseller.example.com or such) who has rights to call the Reseller API.
  • You may be able to use regular 3-legged OAuth instead of a service account. You just need to make sure you request offline access so that you get a refresh token that is long lived.
  • Impersonation / domain-wide delegation is not compatible with the default service accounts built-in to AppEngine and ComputeEngine. You must use a service account you created in your API project.

See if the samples Google provides get you where you need to be.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
  • 3-legged is no option as far as I can see. The rest we already found out but there seems to be a lack of information on how to impersonate a user using the golang client libs – kwiesmueller Apr 26 '18 at 14:59
  • why is 3-legged not an option? – Jay Lee Apr 26 '18 at 17:17
  • because the application is deployed in kubernetes and i got no way of providing the auth token to it when being asked on stdin (or did I get something wrong?) – kwiesmueller May 02 '18 at 12:43
  • You would provide the refresh token which can be exchanged for a fresh access token at any time https://developers.google.com/identity/protocols/OAuth2WebServer#offline – Jay Lee May 02 '18 at 12:46
1

The problem was resolved by using a different config and then setting the jwt.Subject which apparently does impersonation:

const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
if filename := os.Getenv(envVar); filename != "" {
    serviceAccount, err := ioutil.ReadFile(filename)
    if err != nil {
        log.Fatal("creating oauth client failed", zap.Error(err))
    }
    config, err := google.JWTConfigFromJSON(serviceAccount,
        reseller.AppsOrderScope,
    )

    config.Subject = *impersonationUser // like user@google.com
    client = config.Client(ctx)
}
kwiesmueller
  • 190
  • 1
  • 11