mirror of
https://github.com/google/nomulus
synced 2025-12-23 14:25:44 +00:00
71ea16ff69
When creating/deleting users, we need to add/remove the emails in question to/from the console email group (if it exists). This used to be done synchronously by calling the Groups API directly from the nomulus tool. However #2488 made it so that in all cases where group membership is modified, a Cloud Tasks task is created to execute the change on the server side asynchronously (because there are multiple places where this change needs to be done, and it is easier to make it all happen on the server side). Alas, as it turns out, Cloud Tasks tasks need to be created with a service account's credential (which is trivially done on the server side because the ADC is a service account). Nomulus command runs with a user credential, and we need to grant the relevant user permission to masquerade as a service account, in order to enqueue tasks from the nomulus tool. It is therefore easier to just revert to the old behavior.