-
Notifications
You must be signed in to change notification settings - Fork 254
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I authenticate using Workload identity federation? #354
Comments
@MrPhantomT In your EC2 instance, will you obtain a short-lived OAuth 2.0 access token as described in Workload Identity Federation - Service account impersonation? If so, I recently added minimal support for using a token that is obtained externally in |
Is this the relevant part of the guide?
|
Yes, but in implementation of that library for other languages like python, node it's looks like all steps(parsing of configuration.json file, obtaining of AWS security token) done inside. |
If it's not too much trouble, can you link to where its done in Python and Node? |
The next section in the documentation of Node library describes usage: Using External Identities I have a little bit troubles with python but I guess this file implement all logic and I guess this part of documentation cover it. |
Thank you for these links, that is very helpful. It sounds like you would like to see equivalent feature support in this library? |
Yes, it would be great. |
If we use https://github.com/google-github-actions/auth today with this library (via Fastlane) we get an error:
which is thrown here:
The JSON Key generated by https://github.com/google-github-actions/auth has this format: {
"type": "external_account",
"audience": "//iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/default/providers/github",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
"credential_source":
{
"url": "https://pipelines.actions.githubusercontent.com/some-long-path/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2F1234567890%2Flocations%2Fglobal%2FworkloadIdentityPools%2Fdefault%2Fproviders%2Fgithub",
"headers": { "Authorization": "***" },
"format": { "type": "json", "subject_token_field_name": "value" },
},
} So no client_email is present. I think this library should add support for this format, just like all the other Google Auth libraries, which gained support in begin of last year: |
Note that libraries like https://github.com/google-github-actions/auth can also generate the OAuth Access Token, so in principal there is no need to understand the |
Is this still on the table to be implemented and is there a timeline? I'd really like to leverage Workload Identity Federation however this library lacking support is a bit of a blocker to that since the upstream tools I am leveraging use this library directly. I currently am trying to use a
This error is coming from https://github.com/googleapis/google-auth-library-ruby/blob/main/lib/googleauth/default_credentials.rb#L57 which makes sense since the library has not yet implemented it. |
@quartzmo do you know if this is a topic that this library is accepting contributions for? (I'm not comfortable with Ruby, but others in this thread might be more equipped to contribute. Just want to move this thread/feature forward.) |
@quartzmo I am quite comfortable with Ruby and would be willing to take a stab at this if it is something the library would entertain merging. |
Just throwing in my "this would be really really really nice to have in the Ruby SDK". Workload identity federation is going to be huge for us, as we are very multi-cloud with primary services hosted on GCP. Huge thanks to @rbclark for taking one for the team running the PR 😄 |
Hi, The team is working on it and will post an update soon. We don't have an ETA but it is being actively worked upon and should be ready soon. Thank you all for your patience. |
We are trying to use the newly released library with workload identity federation to GCP and seeing the following problem: The problem is when a workload is running on an EKS cluster with irsa, the normal authentication flow through the metadata service does not work, so WIF can be only used with generic OIDC provider. In this case the
It would be great to support the EKS service accounts as well, and not just EC2 and metadata provided token based auth. Let me know if that should go to a different feature request. |
Hello, I also have some questions about using Workload Identity Federation with Service Account Impersonation. I am trying to access Cloud Run on GCP from an EC2 instance on AWS. According to this, we have to call generateIdToken instead of generateAccessToken to generate a short-lived token. Here are my questions: • In cases like the above, can I use • If so, assuming to add a field like Thanks! |
Hello, I'm trying to authenticate access to Google Drive from my AWS EC2 instance using Workload Identity Federation, but unfortunately can't figure how to do it.
Is that library support such authentication? Any plans to support it?
Thanks.
The text was updated successfully, but these errors were encountered: