Saturday, April 14, 2018

How can I impersonate a user of AppEngine java application operating in G-Suite domain?

By Hường Hana 2:30 PM , , Leave a Comment

In my standard AppEngine application I want to perform changes in a Google Sheet documents (among others).

To achieve this, I need to obtain a credential for service account, and somehow configure that it should act in behalf of a user.

This method allows gives me default service account credentials:

private static GoogleCredential getDefaultServiceAccountCredential() throws IOException {     return GoogleCredential.getApplicationDefault()         .createScoped(MY_SCOPES); }

but it does not work in behalf of a user.

Following code is similar, uses other (non-default) service account, but still no impersonation happens:

private static GoogleCredential getNonDefaultServiceAccountCredential() throws IOException {     return GoogleCredential.fromStream(IncomingMailHandlerServlet.class.getResourceAsStream("/tokens/anoher-e6351a8c5b91.json"))         .createScoped(MY_SCOPES); }

For impersonation, Google Docs (and many SO advices) mentions how to do it with use of PKCS12 file; however, that file can only be read as PrivateKey on installed application and not on AppEngine.

Is there any way to obtain impersonated credential for java application running in AppEngine? Or, is there a trick to read from a File on AppEngine?

Note that, for all service accounts that I tried, I configured them with role Owner and with DwD (Domain-wide delegation). Is there anything else to configure?

1 Answers

Answers 1

The GoogleCredential reference offers a sample to

also use the service account flow to impersonate a user in a domain that you own. This is very similar to the service account flow above, but you additionally call GoogleCredential.Builder.setServiceAccountUser(String)

 public static GoogleCredential createCredentialForServiceAccountImpersonateUser(       HttpTransport transport,       JsonFactory jsonFactory,       String serviceAccountId,       Collection<String> serviceAccountScopes,       File p12File,       String serviceAccountUser) throws GeneralSecurityException, IOException {     return new GoogleCredential.Builder().setTransport(transport)         .setJsonFactory(jsonFactory)         .setServiceAccountId(serviceAccountId)         .setServiceAccountScopes(serviceAccountScopes)         .setServiceAccountPrivateKeyFromP12File(p12File)         .setServiceAccountUser(serviceAccountUser)         .build();   }
If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment