ImpersonatedCredentials does not support external_account_authorized_user as a source credential, unlike other Google Auth libraries (nodeJs)

[harbir-singh]

Description:

I am encountering a java.io.IOException when attempting to use impersonated credentials with a source credential type of external_account_authorized_user.

java.io.IOException: Error reading credential file from location /Users/.../.config/gcloud/application_default_credentials.json: A credential of type external_account_authorized_user is not supported as source credential for impersonation.
    at com.google.auth.oauth2.DefaultCredentialsProvider.getDefaultCredentialsUnsynchronized(DefaultCredentialsProvider.java:183)

This limitation appears to be specific to the Java library. I have verified that the Node.js client does not have this same restriction and can successfully use this credential type for impersonation.

Reference:

The restriction seems to be enforced in ImpersonatedCredentials.java, which currently only allows UserCredentials or ServiceAccountCredentials as valid source types.

Expected Behavior:

The Java library should support external_account_authorized_user (and potentially other valid credential types) as a source for impersonation, consistent with other Google Cloud client libraries like Node.js.

Steps to Reproduce:

1. Authenticate via gcloud using a method that generates an external_account_authorized_user type in the ADC file (e.g., certain federation or workforce identity scenarios).
2. Attempt to initialize a Google Cloud Java client using ImpersonatedCredentials with this source credential.
3. Observe the IOException.

[harbir-singh]

@zhumin8 / @lqiu96 , I was looking at this, which seems to be the source of this restriction. Could you please take a moment to look into this issue?

[vverman]

Hi @harbir-singh, I have tried to replicate this issue using the steps you indicated but couldn't. Hence closing it out.

ADC file:

{ "audience": "//iam.googleapis.com/locations/global/workforcePools/sample/providers/sample", "client_id": "...", "client_secret": "...", "refresh_token": "...", "token_info_url": "https://sts.googleapis.com/v1/introspect", "token_url": "https://sts.googleapis.com/v1/oauthtoken", "type": "external_account_authorized_user", "universe_domain": "googleapis.com" }

Script:
`public class ExternalAccountAuthorizedExample {

public static void main(String[] args) throws Exception {
// 1. Enable the RAB experiment.
System.setProperty("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "true");

// 2. Load the Service Account credentials directly from the path used in your tests.
String keyPath = "path-to-adc";
GoogleCredentials credentials = GoogleCredentials.fromStream(new FileInputStream(keyPath))
    .createScoped("https://www.googleapis.com/auth/cloud-platform");

System.out.println("Successfully initialized External Account Authorized User Credentials");

System.out.println("Client Type: " + credentials.getClass().getSimpleName()); 

}
}
`

This works fine.