Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for workload identity federation credential file format #154

Closed
gmile opened this issue Dec 23, 2022 · 1 comment · Fixed by #170
Closed

Support for workload identity federation credential file format #154

gmile opened this issue Dec 23, 2022 · 1 comment · Fixed by #170

Comments

@gmile
Copy link

gmile commented Dec 23, 2022
edited
Loading

Thanks for an awesome library, we at Contractbook are happy users! 🤗

Would it be possible to add support for workload identity federation credential file format?

The file section "GOOGLE_APPLICATION_CREDENTIALS environment variable" of "How Application Default Credentials works" page lists two different types of contents for the JSON file: service account and configuration for workload identity federation. We're particularly interested in support for configuration for workload identity federation.

For context why we need this: we're gradually getting rid of all JSON service accounts across our infrastructure in favor of short-lived tokens issued as part of key-less approach, to improve our security posture.

One of the places where we still had some service accounts as JSON are ENV variables in GitHub Actions. After cleaning up our GH actions to use OIDC / work identity federation approach, it became clear that Goth doesn't recognize the different contents format for GOOGLE_APPLICATION_CREDENTIALS file, some of our Elixir code that needs to run as part of the CI fails to authenticate with Google Cloud.

The new format looks like this:

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/***",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken",
  "credential_source": {
    "url": "https://pipelines.actions.githubusercontent.com/f6c3c35b039387ef292397f8204b44f06dd59dd6c708753be0/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/671d6379-83c9-4431-957a-99ccc35f7298/jobs/52d517d4-19eb-42f8-9cca-7dc7ce1e4b1a/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2F***",
    "headers": {
      "Authorization": "***"
    },
    "format": {
      "type": "json",
      "subject_token_field_name": "value"
    }
  }
}

P.S. as a potential point of reference, a related implementation appears to exist (I'm only saying "appears" because I am not sure what I found is correct) in Google Cloud auth client for JavaScript maintained by folks from Google.

P.P.S. To those having problems deciphering the official auth libraries, like myself, the algorithm of obtaining a short-lived access token appears to be described here: https://cloud.google.com/iam/docs/using-workload-identity-federation#rest. Leaving it here for future reference.
@wojtekmach
Copy link
Collaborator

Please send a PR!

@michaelst michaelst mentioned this issue Apr 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

support workload identity michaelst/goth
2 participants
@wojtekmach @gmile