JWT doesn't use the expected value for Issuer (e.g. "iss")

[burkematthew]

I am building a Ruby service that connects to a Google Cloud Endpoint using a Service Account. When passing the JWT generated so far, I'm getting an invalid token error, so I've been troubleshooting where I'm going wrong and am currently concluding it's due to the mismatched iss value of my token.

To build the JWT for access, I am passing a JSON keyfile to Google::Auth::ServiceAccountCredentials.make_creds, following the instructions set forth in the README.

Example:

  def authorizer
    @authorizer ||= Google::Auth::ServiceAccountCredentials.make_creds(
      json_key_io: File.open(keyfile),
      scope: scope,
      enable_self_signed_jwt: true
    )
  end

where keyfile is defined as

  def keyfile
    ENV.fetch("GOOGLE_CLOUD_KEYFILE")
  end

and scope is defined as

  def scope
    ENV.fetch("GOOGLE_ENDPOINT_SCOPE")
  end

I verify the value of @issuer of my authorizer is the service account email address. However, when the JWT is encoded and returned to me via fetch_access_token!, I test the contents of my token using jwt.io, but the iss value is showing up as https://accounts.google.com instead of my expected service account email address.

My question is: why isn't iss set to the value of @issuer and how do I get this set to my service account email address?