auth.getIdTokenClient() does not honour gcloud auth application-default login

[mbyrne00]

Summary

When I test/run code locally using auth.getIdTokenClient("https://my-target-audience") will always yield the error below, despite setting application default credentials using gcloud auth application-default login. Other google libs are working fine using this.

Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable t o a service account credentials JSON file.

1. Is this a client library issue or a product issue?
   A client library issue.

2. Did someone already solve this?
   No

3. Do you have a support contract?
   No

Environment details

• OS: MacOS
• Node.js version: 18.14.0
• npm version: 9.3.1
• google-auth-library version: 8.7.0

Steps to reproduce

1. Grant credentials with a privileged account using gcloud auth application-default login
2. Execute the following code from somewhere in your codebase in an async function

   const auth = new GoogleAuth();
   await auth.getIdTokenClient(this.analysisBaseUrl)
   console.log("All good");
   

3. 💥 - the following error is shown and the console log does not execute

Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable t o a service account credentials JSON file.

If you export a JSON key and provide it via the environment variable GOOGLE_APPLICATION_CREDENTIALS then it will work. The other google libs, however, negate the need for this by supporting the application-default login and thus not needing privileged service account JSON keys stored locally.

I've also noticed others with this issue, for example when I came across this post: https://stackoverflow.com/questions/72685175/application-default-credentials-http-trigger-gcp-function-from-local-nodejs-appl

[sofisl]

Hey @mbyrne00, sounds like this is a duplicate of: #876. Currently, this doesn't support fetch ID token.

I'll relabel as a FR for the time being.

[mbyrne00]

Hey @sofisl - thanks for the reply but not sure how the other issue you linked is a duplicate. The functionality for auth.getIdTokenClient() does what we want at a functional level, but it just does not honour application-default credentials on a developer's machine locally. This just means we have to revert to other more manual means to pass in credentials locally, which we don't need to do for other libs.

The issue you linked seems more about functional changes to allow one token to be exchanged for another, which isn't really what I need. But .... I may not appreciate the internals.

I use the token id client to make the request, and thus add in the identity token for calling cloud functions. I'd be happy to plug in the identity token header manually if I had that, though, and if it supported application-default credentials stored on a developer's machine.

[Irob466]

I believe this is actually a duplicate of #1113, which was closed but has some active conversation recently. The workarounds posted in the issue don't seem to be working for me, but the reasoning behind why the application-default credentials are failing makes sense.

[mbyrne00]

Right - I get why there was the link to #876 now as the complexity is in how to get the identity token with what's available in ~/.config/gcloud/application_default_credentials.json. OK, thanks for highlighting.

The title and content of that issue isn't immediately obvious at first, which is why I didn't find it before raising this issue. At least now that they are linked someone else can find the way.

Here's hoping there's a solution going forward.

[danielbankhead]

Closing as a duplicate of #876, let's continue the conversation there!