How can I have a service account impersonate another service account? (Node.js)

Question

I authenticate by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path to a key for my App Engine service account (e.g. example@appspot.gserviceaccount.com).

If a calendar is shared directly to the App Engine service account, I can do just do this:

let googleCalendar = google.calendar({
  version: 'v3',
  auth: new google.auth.GoogleAuth({
    scopes: ['https://www.googleapis.com/auth/calendar'],
  })
});

But I want users to share their calendar with a different service account I have, google-calendar@example.iam.gserviceaccount.com. So I want the App Engine service account to impersonate the google-calendar account. I have tried this (and a few other minor variations):

let googleCalendar = google.calendar({
  version: 'v3',
  auth: new google.auth.GoogleAuth({
    clientOptions: {
      subject: 'google-calendar@uniserval-app.iam.gserviceaccount.com'
    },
    scopes: ['https://www.googleapis.com/auth/calendar'],
  })
});

I get a 401 error: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I tried making my App Engine service account a Member on the google-calendar service account and granting it various Roles such as Service Account User and Service Account Token Creator - but nothing changes.

I suspect the code is right and I just don't have the right Roles configured... but at this point I've been searching how to do this for 2 days and I can't find any documentation on exactly how to do this.

Answer 1

Your syntax looks correct, just that you appear to have misunderstood which email address to set as the subject. The subject is the user account on whose behalf you wish to act.

new google.auth.GoogleAuth({
  clientOptions: {
    subject: 'someone@yourdomain.com'
  },
  scopes: ['https://www.googleapis.com/auth/calendar'],
})