Skip to main content
Question

Using Chronicle API v1beta with SA impersonation

  • March 5, 2026
  • 3 replies
  • 40 views
u6004331239
Forum|alt.badge.img

If I impersonate the SA by ACCESS_TOKEN=$(gcloud auth print-access-token --impersonate-service-account=secops-sa@project-here.iam.gserviceaccount.com --scopes="https://www.googleapis.com/auth/cloud-platform") and fetch the instance data by curl -H "Authorization: Bearer $ACCESS_TOKEN" "https://chronicle.us.rep.googleapis.com/v1beta/projects/123456789012/locations/us/instances/1a1a1a1a-1a1a-1a1a-1a1a-1a1a1a1a1a1a/", the request is successful and the response contains the wanted data.
However, if I attempt to curl -H "Authorization: Bearer $ACCESS_TOKEN" "https://chronicle.us.rep.googleapis.com/v1beta/projects/123456789012/locations/us/instances/1a1a1a1a-1a1a-1a1a-1a1a-1a1a1a1a1a1a/cases", the response is


{

  "error": {

    "code": 401,

    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",

    "status": "UNAUTHENTICATED"

  }

}

Looks like the v1 API works with the impersonation, but most of the resources under v1beta and v1alpha do not and we get the error message. If I use my own GCP identity (which is a Chronicle admin) the request  curl -H "Authorization: Bearer $ACCESS_TOKEN" "https://chronicle.us.rep.googleapis.com/v1beta/projects/123456789012/locations/us/instances/1a1a1a1a-1a1a-1a1a-1a1a-1a1a1a1a1a1a/cases" works (after ACCESS_TOKEN=$(gcloud auth print-access-token)). I also gave the SA the same privileges to Chronicle as I have (an IAM role) and that did not solve the issue.

There may be some small changes in authentication & authorization between e.g. v1 and v1beta when using SA impersonation. What these would be? Are there some workarounds, tricks or tips for fixing this issue? The intent is to develop a small tool which runs in Cloud Functions. If SA impersonation does not work in dev env from dev endpoint, I'm not sure if it will work from a Cloud Function either.

I have ensured that the SA has the necessary (GCP IAM) permissions for accessing the cases resource. Chronicle API access should be controllable with GCP IAM.

3 replies

hzmndt
Staff
Forum|alt.badge.img+10
  • hzmndt
  • Staff
  • March 5, 2026

@u6004331239 i tried seems okay for v1beta and v1alpha, but no v1 

API Version     | HTTP Status Code   | Status Message
------------------------------------------------------------
v1alpha         | 200                | OK
v1beta          | 200                | OK
v1              | 404                | Not Found


API tested - url = f"https://{location}-chronicle.googleapis.com/{version}/projects/{project}/locations/{location}/instances/{instance_id}/cases

u6004331239
Forum|alt.badge.img
  • u6004331239
  • Author
  • New Member
  • March 5, 2026

@hzmndt thanks for testing 🙏 Hmm maybe something is off with the SecOps instance’s “attachment” with the project 🤔 

_eo
Forum|alt.badge.img+5
  • _eoBronze 4
  • Bronze 4
  • March 5, 2026

I’m having a similar issue. I am using a service account key file and when I hit the /cases endpoint for any version, it doesn’t work. However, when i hit the /rule endpoint on all 3 versions I get info back. The service account has chronicle admin permissions, so it shouldn’t be a permissions issue.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.