google-cloud-platformservice-accountsgoogle-cloud-api-keys

Generate a long-term access token for a service account to access Google API


I have a service account foo. For this service account I want to create an authorization token so I can run my program in a CI/CD pipeline and letting it communicate with the Google API.

I researched how to retrieve a long-term token by checking out this documentation: https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth

My problem here is that I have to do so many steps just for that token.

Why can't I use the JWT token in the first place to access the Google API? Why do I need to ask for another token? It feels a bit overengineered tbh.


Solution

  • As mentioned in this blog:

    OAuth: Open Authorization (OAuth) is an open standard for token-based authentication over public networks.OAuth allows third-party services such as Facebook and Google to use end-user account information without exposing the user’s account credentials to a third party.

    JWT: JSON Web Tokens (JWT) are an open industry standard for sharing information between two entities, typically a client (the front end of an application) and a server (the back end of an application).

    JWT is a token that contains claims about the user or client. OAuth uses a unique token to grant access to the user’s resources. OAuth tokens are security tokens granted by IDP that can only be validated by that same OAuth token provider. You can use JWT as another kind of OAuth token.

    JWT is better suited to APIs. OAuth is useful for web, API, and browser applications and resources.

    Lifetime of the access token can be extended. To do so, choose the service accounts that need an extended lifetime for access tokens, then add these service accounts to an organization policy that includes the constraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint.

    If you want to extend the token lifetime beyond the default, you must create an organization policy that enables the iam.allowServiceAccountCredentialLifetimeExtension constraint. You can't create access tokens with an extended lifetime for user credentials or external identities. Check this official GCP document for more information.

    As per this official GCP document on Generate the access token :

    If you use the REST API, and your system is configured to allow extended token lifetimes, you can create a token with a lifetime longer than the default. The Google Cloud CLI does not support setting a lifetime for the token.

    Now about “Why can't I use the JWT token in the first place to access the Google API? ”

    The JWT token is only valid for a short period of time (typically one hour), and it cannot be used to access the Google API directly. It may seem an extra step and a bit over-engineered using a JWT token adds an extra layer of security and ensures only authorized users are accessing the google APIs, it provides a more secure way to access Google APIs and prevents misuse of API resources.

    Why do I need to ask for another token?

    Another or two-step process helps to improve security by ensuring that your JWT token is not compromised. If your JWT token is stolen, it can only be used to request an access token, which will expire after a short period of time. This helps to protect your Google API resources from unauthorized access.

    Check Google Cloud Community forum discussion for more information.