google-auth-library-python icon indicating copy to clipboard operation
google-auth-library-python copied to clipboard

Published 20 hours ago verified publisher icon googleapis

feat: add AWS container credential provider

Open mmalecki opened this issue 1 year ago • 4 comments

The container credential provider is used on AWS ECS and AWS EKS. It presents a different API and integration surface than IMDS, and so custom code is required to make use of it.

Ref: https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html

Fixes #885. Fixes #1099.

One thing I wasn't sure about in this PR was reusing the url parameter, rendering it to have 2 different meanings. I'm happy to refactor it to a different name, but I'll leave that decision up to reviewers.

mmalecki avatar Jul 08 '24 22:07 mmalecki

Can confirm we've tested with this and it works as expected. Thanks @mmalecki! Makes our lives way easier.

youcandanch avatar Jul 09 '24 12:07 youcandanch

@BigTailWolf please take a look, thanks!

arithmetic1728 avatar Jul 11 '24 07:07 arithmetic1728

@BigTailWolf if you've got some time, this would unblock those of us trying to use ECS with google-auth in a big way. Right now, we're basically locked into using service account keys, and being able to use identity federation would be a huge step in securing our applications better. Thanks in advance!

youcandanch avatar Jul 30 '24 16:07 youcandanch

Hey folks, we don't plan on directly supporting this right now and suggest using your own custom credential supplier.

lsirac avatar Jul 30 '24 22:07 lsirac

@lsirac okay, thanks for the link, that seems pretty straightforward. I'll fully admit that's a little disappointing as it's something we'll have to incorporate in every repo we have that uses ECS, but I also totally understand y'all have to juggle your priorities.

youcandanch avatar Aug 01 '24 16:08 youcandanch