Re: [D] 401 unauthorized with Google OpenID authentication on API [airflow]

Thu, 27 Mar 2025 13:07:00 -0700 


GitHub user laurajsdias edited a discussion: 401 unauthorized with Google 
OpenID authentication on API

Hey,

I have Airflow deployed on AWS EKS and I'm trying to use Google OpenID to 
authenticate on Airflow API, following [this 
documentation](https://airflow.apache.org/docs/apache-airflow-providers-google/10.7.0/api-auth-backend/google-openid.html).

I already can sign-in to the webserver using Google, but having issues to 
configure API authentication. It gives 401 unauthorized both for my own Google 
account and GCP service account.

This is what I'm trying (url domain and audience redacted, of course):

```
ENDPOINT_URL="https://airflow._example_.com";

AUDIENCE="_id_.apps.googleusercontent.com"
ID_TOKEN="$(gcloud auth print-identity-token 
--impersonate-service-account="airflow-t...@example.iam.gserviceaccount.com" 
"--audiences=${AUDIENCE}")"

curl -X GET  \
    "${ENDPOINT_URL}/api/v1/pools" \
    -H 'Content-Type: application/json' \
    -H 'Cache-Control: no-cache' \
    -H "Authorization: Bearer ${ID_TOKEN}" 
```

This is the error I'm getting:
```
{
  "detail": null,
  "status": 401,
  "title": "Unauthorized",
  "type": 
"https://airflow.apache.org/docs/apache-airflow/2.7.1/stable-rest-api-ref.html#section/Errors/Unauthenticated";
}
```

Notes:
1. I've added `--impersonate-service-account` to the ID_TOKEN command, because 
otherwise it gives me `ERROR: (gcloud.auth.print-identity-token) Invalid 
account Type for `--audiences`. Requires valid service account.`
2. I'm using `api/v1/pools` instead of the `api/experimental/pools` from the 
documentation, because the experimental one gives 404 error.

I have the `auth_backend` and `google_oauth2_audience` in place in 
`airflow.cfg`. I also have the service account key mounted inside the webserver 
pod and `GOOGLE_APPLICATION_CREDENTIALS` as env pointing to the service account 
key path.

Not sure what else to do. Did someone have to do something similar that can 
help? Is there a more in-depth documentation on how to set this?

If needed, I can give more information.

Thanks a lot for the support in advance!

GitHub link: https://github.com/apache/airflow/discussions/48055

----
This is an automatically sent email for commits@airflow.apache.org.
To unsubscribe, please send an email to: commits-unsubscr...@airflow.apache.org

Reply via email to