Description
Is your feature request related to a problem? Please describe.
Trying to authorize a Gmail API request to get a Google Workspace account's Gmail delegates via DWD delegated Service Account without a service account key.
Specifically:
- the solution cannot use any key file
- the solution must use impersonation (Gmail API call will use a different "subject" than the service account itself)
- the solution must use OAuth 2 to interact with the API (this requirement comes from the Gmail API itself)
Describe the solution you'd like
For the below code to just work. If a new method is needed for this auth that is fine too.
const auth = new google.auth.GoogleAuth({
clientOptions: {
subject: accountEmail // impersonate the user
},
scopes: ['https://www.googleapis.com/auth/gmail.readonly']
});
const authClient = await auth.getClient();
const gmail = google.gmail({
version: 'v1',
auth: authClient
});
const delegatesRes = await gmail.users.settings.delegates.list({
userId: accountEmail
});
Describe alternatives you've considered
Contacted Google Support and they confirmed there is no way to do this within the current nodejs client library. I am not going to try and create the auth manually without a client library.
Additional context
I am running the code on App Engine and using the default service account for App Engine which has been authorized with DWD to Google Workspace. So no key file should be necessary to authorize the Google API requests.
Existing open issue that is related but may not be the exact same use case as me. googleapis/google-auth-library-nodejs#916
This issue is also present in the Python client library but there is at least a workaround.
https://github.com/GoogleCloudPlatform/professional-services/blob/master/examples/gce-to-adminsdk/main.py