GitHub user laurajsdias added a comment to the discussion: 401 unauthorized with Google OpenID authentication on API
> It seems like your setup is missing two elements > ([doc](https://airflow.apache.org/docs/apache-airflow-providers-google/stable/_modules/airflow/providers/google/common/auth_backend/google_openid.html)): > > 1. Creating the user directly in Airflow > You need to manually create a user that matches the email of the service > account you're impersonating. > > ```shell > airflow users create \ > --username ${NAME} \ > --email [email protected] \ > --firstname API \ > --lastname ServiceAccount \ > --role Admin \ > --password dummy > ``` > > 2. Adding --include-email to your curl command > The ID token must include the email claim so that Airflow can map it to an > internal user. > > ```shell > curl -H "Authorization: Bearer $(gcloud auth print-identity-token \ > --include-email \ > --audiences=${AUDIENCES} \ > > --impersonate-service-account=airflow-t...@example.iam.gserviceaccount.com)" \ > ${URL}/api/v1/dags > ``` that worked! I had the user created, but not the `--include-email` flag in `gcloud auth` when doing the request. thanks a lot, @Mareak! GitHub link: https://github.com/apache/airflow/discussions/48055#discussioncomment-12728983 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
