impersonate | Impersonate is a plugin that allows you to authenticate | Content Management System library

To simplify script1 a bit, you can try using the WinNT names and skip searching AD:

The "no error" is strange. Be sure that the impersonated service account has the role roles/cloudfunctions.admin.

Indeed, with your first command, you deploy with GCLOUD and the credentials of th sa-email. The sa-email must have the permission to set IAM policies on the functions

In the second command, you no longer use the sa-email credential, but YOUR user credential, this time it's work because YOU have the permissions.

To investigate, you can try to run that command

Threads cannot have separate user ids; only processes can. The data structure the kernel uses for process has a user id field, but the thread one doesn't - so, this is an architectural limitation.

Processes are defined by task_struct, which has a cred field, pointing to a cred structure, including uid, gid etc.

Threads are defined by thread_info, which doesn't have anything point to user credentials.

Posting John Hanley's comment and Tony Stark's comment as community wiki for visibility.

The error occurred because the --impersonate-service-account which OP used is only having the scope devstorage.read which is not enough to sign data.

The following article from John Hanley helped in troubleshooting and resolving the issue.

I tested this code and it works just fine. Make sure to put your envelopeID in there. Try this basic code and let me know:

You can memoize the function when you create it with useCallback:

You can use a new gcloud feature and impersonate your local credential like that:

Lets start with send user account activation emails from my server I am gong to assume that you have a web app. This web app allows users to register with your system. Now when a user registers with your system you want to automatically send them an account creation email. Your idea is to use Google rather than setting up your own smtp server and sending these emails from your own system. Not a bad idea really.

Lets think about this for a minute the emails would need to be sent automatically so you need some kind of service sending them. To do that you want to use a service account. Again this is a great idea using a pre authorized service account that you will not need to have a user to authorize the app.

The only issue is that service accounts do not work with normal gmail accounts. To use a service account with Gmail api you need to use a google workspace domain account. The workspace domain admin would then be able to add permissions to the service account letting it act like a user on the domain. In this case your idea of no-reply.

So your workspace domain account would have a user called no-reply. The domain admin would then configure domain wide delegation to the service account allowing it to pretend that it is the user called no-reply. For all intensive purposes the service account is the no-reply user. It will be able to send mails as if they are coming from that user.

For all this to work you will need the workspace account with that user.

Have a look at the following link, it's actually one of Google's better examples it shows how to set up the delegation.

Perform Google Workspace Domain-Wide Delegation of Authority

Here you create a service account with credentials, allow this account to impersonate other users (e.g. the no-reply user), to only use the Gmail API and to only use it to send emails.

• the documentation is a bit outdated, you can skip the step Grant users access to this service account and create the service account key afterwards via the service account edit function: Manage keys
• in the step Domain wide delegation you need Google Admin not the Google Cloud Platform Admin Console as in the previous step

Just remember to swap out the lines about

Around debugging - I've often found my mistakes by following one of the other methods/programming languages in the Google tutorials.

Have you looked at the OpenAPI notes and tried to follow along?