Getting id-token from compute engine default service account not working

[feliara8]

Environment details

• OS: Compute engine with machine for docker containers
• Ruby version: 2.7.1
• Gem name and version: googleauth last version

Description

I want to make a call to an api in a iap secured app engine from a compute engine with the proper service account.
I am trying to follow this link
which included the ruby code to do the job, but its not working

NOTE: Node code works perfectly

Steps to reproduce

1. Create a compute engine with a service account
2. Go to ruby console
3. Run ruby code to get id_token, but access token is retrieved despite passing target_audience

Code example

# url = "The Identity-Aware Proxy-protected URL to fetch"
# client_id = "The client ID used by Identity-Aware Proxy"
require "googleauth"
require "faraday"

# The client ID as the target audience for IAP
id_token_creds = Google::Auth::Credentials.default target_audience: client_id

headers = {}
id_token_creds.client.apply! headers

resp = Faraday.get url, nil, headers

if resp.status == 200
  puts "X-Goog-Iap-Jwt-Assertion:"
  puts resp.body
else
  puts "Error requesting IAP"
  puts resp.status
  puts resp.headers
end

Thanks!

[bouk]

It seems the target_audience option is not being saved. If you do id_token_creds.target_audience you'll get nil.

As a workaround you can do id_token_creds.client.target_audience = '...'

[ernsheong]

Thanks for workaround, I also expected Google::Auth::Credentials.default target_audience: ... to work because of sample code in #258

But it is also not yet documented:
https://www.rubydoc.info/github/google/google-auth-library-ruby/Google/Auth/Credentials#default-class_method

[henriquesobral]

I had the same problem using Cloud Run.

Looking at the code, the problem is at line 63 of application_default.rb file.
When GCECredentials is instantiated, it didn't take the options arguments and therefore target_audience became nil.
This is why it is necessary to revalue target_audience again.

[StupidCodeFactory]

I've had the same problem, using Cloud Run and Could Job. I believe I've fixed the issue in this PR:
#425 🤞 this will get approved and merged soon!
In my case to circumvent the issue I've done an absolutely horrendous monkey patch 🙈 before invoking the authentication code in my code:

require "googleauth"

module Google::Auth
  module_function

  def get_application_default(scope = nil, options = {})
    creds = DefaultCredentials.from_env(scope, options) ||
            DefaultCredentials.from_well_known_path(scope, options) ||
            DefaultCredentials.from_system_default_path(scope, options)
    return creds unless creds.nil?

    unless GCECredentials.on_gce? options
      GCECredentials.unmemoize_all
      raise NOT_FOUND_ERROR
    end
    # Merge option with the scope and pass this down to the Oauth2 client
    GCECredentials.new(options.merge(scope: scope)) 
  end
end

This works and I now get an id_token rather than an auth_token

[bkoski]

So many thanks @StupidCodeFactory, I spent an hour banging my head against this before I realized the fix was in the latest gem!