A recent project required me to use the Google Analytics Core Reporting API for data ingestion. The API call was being made in an Azure function, which worked completely fine locally but failed during the service account authentication process when hosted in Azure with an ‘Invalid provider type specified’ error for the authentication certificate.
3 Days of debugging and research finally led to the answer. The Issue was not actually with the client library, but instead was to do with the way in which the authentication certificate stores X509KeyStorageFlags.
MachineKeySet - Private keys are stored in the local computer store rather than the current user store.
PersistKeySet - The key associated with a PFX file is persisted when importing a certificate.
Exportable Imported keys are marked as exportable.
This is a known issue with Azure hosting; you need to tell the server how you would like it to deal with the X.509 certificate.
As per the API documentation, to load the private key from the certificate, the following code is needed:
var certificate = new X509Certificate2(@"<certificatePath>", "<privatekey>", X509KeyStorageFlags.Exportable);
This line of code will work fine locally, however will fail in Azure because we need to tell the Initializer that the private key(s) are stored in the local computer store rather than the current user store. To do this is simply adding an additional condition to the final parameter of the above line of code as shown below:
var certificate = new X509Certificate2(@"<certificatePath>", "<privatekey>", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
If you check the above definition of the MachineKeySet this does exactly what we need it to by telling the Initializer that the private key or keys are stored in the local store rather than the current user store.
So, the final Service Account Credential code is included in the below Github gist link: