GitHub user laurajsdias added a comment to the discussion: 401 unauthorized 
with Google OpenID authentication on API

> It seems like your setup is missing two elements 
> ([doc](https://airflow.apache.org/docs/apache-airflow-providers-google/stable/_modules/airflow/providers/google/common/auth_backend/google_openid.html)):
> 
> 1. Creating the user directly in Airflow
>    You need to manually create a user that matches the email of the service 
> account you're impersonating.
> 
> ```shell
> airflow users create \
>   --username ${NAME} \
>   --email [email protected] \
>   --firstname API \
>   --lastname ServiceAccount \
>   --role Admin \
>   --password dummy
> ```
> 
> 2. Adding --include-email to your curl command
>    The ID token must include the email claim so that Airflow can map it to an 
> internal user.
> 
> ```shell
> curl -H "Authorization: Bearer $(gcloud auth print-identity-token \
>   --include-email \
>   --audiences=${AUDIENCES} \
>   
> --impersonate-service-account=airflow-t...@example.iam.gserviceaccount.com)" \
>   ${URL}/api/v1/dags
> ```

that worked! I had the user created, but not the `--include-email` flag in 
`gcloud auth` when doing the request. thanks a lot, @Mareak!

GitHub link: 
https://github.com/apache/airflow/discussions/48055#discussioncomment-12728983

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]

Reply via email to