GenerateAccessToken by services account

Question

I need to make a rest call to access account in google business, but I don't have an access_token. I just have the json of services account. My trouble is the next, how I can generate an access token starting from services account?

The call:

https://mybusiness.googleapis.com/v4/accounts/{accountName}/locations/{locationName}/reviews

I'm trying to generate the access token with the rest call:

https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:generateAccessToken

But this returns an error:

Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential.

I understand the error, but it's not logical. It should return a short-term token without having an authentication credential, because I already have an associated service account.

Regards

Answer 1

You are misunderstanding what the API generateAccessToken does and how to call it.

To call this API you already need an Access Token generated from User or Service Account credentials. You can use gcloud to create an Access Token: gcloud auth application-default print-access-token. Then include the Access Token in the Authorization: bearer HTTP header.

You also need the iam.serviceAccounts.getAccessToken IAM permission on the service account that you name in the API call. This permission can be granted using gcloud iam service-accounts add-iam-policy-binding with the option --role=roles/iam.serviceAccountTokenCreator granting permission.

After meeting the above requirements you call this API to create a new Access Token using the specified Service Account. Basically you are using one Access Token to create another Access Token changing identities.