GitHub user Mareak added a comment to the discussion: 401 unauthorized with Google OpenID authentication on API
It seems like your setup is missing two elements ([doc](https://airflow.apache.org/docs/apache-airflow-providers-google/stable/_modules/airflow/providers/google/common/auth_backend/google_openid.html)): 1. Creating the user directly in Airflow You need to manually create a user that matches the email of the service account you're impersonating. ```bash airflow users create \ --username ${NAME} \ --email [email protected] \ --firstname API \ --lastname ServiceAccount \ --role Admin \ --password dummy ``` 2. Adding --include-email to your curl command The ID token must include the email claim so that Airflow can map it to an internal user. ```bash curl -H "Authorization: Bearer $(gcloud auth print-identity-token \ --include-email \ --audiences=${AUDIENCES} \ --impersonate-service-account=airflow-t...@example.iam.gserviceaccount.com)" \ ${URL}/api/v1/dags ``` GitHub link: https://github.com/apache/airflow/discussions/48055#discussioncomment-12728587 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
