cloudquery
Document (or simplify) running of GCP plugin inside AWS Fargate
When using GCP workload identity pool with the AWS provider, then running the GCP source plugin inside AWS Fargate, an error like dial tcp 169.254.169.254:80: connect: invalid argument occurs.
Fargate uses a different metadata endpoint, ${ECS_CONTAINER_METADATA_URI_V4}/task, but it is not clear how to make this work.
A workaround one user found is to take the AWS token from the session and save it as an env var, but it would be great if we could better document the best approach to doing this, or have it work automatically as part of the plugin authentication process.
I am not sure if this is possible at all. The GCP documentation seems to be clear that only AWS EC2 instance profiles are supported:
Using Workload Identity Federation, workloads that run on AWS EC2 and Azure can exchange their environment-specific credentials for short-lived Google Cloud Security Token Service tokens.
Environment-specific credentials include the following:
- AWS EC2 instances can use instance profiles to request [temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html).
All of the guides online that talk about ECS and GCP Workload Identity show how to extract the short lived credentials into env variables which GCP can pickup. This has the downside of the fact that it is possible that expired GCP credentials cannot be refreshed because the original creds store in the env vars could have already expired themselves
