Gmail API 以及与 AWS 和 Google Cloud 的工作负载身份联合

Question

我希望与 Gmail API 集成，并希望使用具有全网域委托的服务用户来代表 Google Workspaces 中的用户请求数据。我的代码在AWS的EC2中运行。通读文档，最佳实践似乎是使用工作负载身份联合来作为服务用户进行身份验证，这样就不存在密钥泄露的风险。

我已按照Google 网站上的步骤设置与 AWS 的工作负载身份联合，此外，还在 google cloud shell 中运行以下命令：

gcloud iam service-accounts add-iam-policy-binding <service_account_email>  \    
--role=roles/iam.workloadIdentityUser  \ 
--member="principalSet://iam.googleapis.com/projects/<project_id>/locations/global/workloadIdentityPools/<pool_id>/attribute.aws_role/arn:aws:sts::<aws_account_id>:assumed-role/<aws_role_name>" \
--project <google_cloud_project_name>

我有以下测试应用程序代码：

const { google } = require("googleapis");
const { GoogleAuth } = require("google-auth-library");
const path = require("path");

module.exports = async (req, res) => {
  const scopes = [
    "https://www.googleapis.com/auth/gmail.readonly",
    "https://www.googleapis.com/auth/admin.directory.user.readonly",
  ];

  let status = "";

  try {

    //Inject the client library config as the GOOGLE_APPLICATION_CREDENTIALS
    const configPath = path.join(__dirname, "client_library_config.json");
    process.env["GOOGLE_APPLICATION_CREDENTIALS"] = configPath;
    process.env["GOOGLE_CLOUD_PROJECT"] = "XXXX";

    const auth = new GoogleAuth({
      scopes,
      subject: "XXXX@XXXX.com",//email address of the test account we want to impersonate
      projectId: "XXXXX", //Google Cloud Project Name
    });

    const gmailClient = google.gmail({ version: "v1", auth });

    const user = await gmailClient.users.threads.list({
      userId: "XXXX@XXXX.com", //email address of the test account whose gmail threads we want to get
    });
  } catch (err) {
    console.log("error", err);
  }
  res.status(200).json({
    status: "ok",
  });
};

当尝试运行此代码时，我收到以下错误消息：

error GaxiosError: Precondition check failed.
at Gaxios._request (/opt/backend/node_modules/gaxios/build/src/gaxios.js:130:23)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async AwsClient.requestAsync (/opt/backend/node_modules/google-auth-library/build/src/auth/baseexternalclient.js:240:24)

奇怪的是，当我使用私钥和服务用户的 JWT 身份验证在本地运行此代码时，它运行良好，并且没有遇到任何问题。有什么想法可能会发生什么吗？