abdolence
Workload Identity Federation from AWS support
AWS needs a specialised implementation for Workload Identity Federation authentication.
Described here: https://google.aip.dev/auth/4117
Hello,
Sorry for bumping an old issue, but I wonder if my use-case would be similar, I need to auth with WIP, but on any kind of Kubernetes cluster. In the end, I need to auth with this equivalent gcloud command, without using Service Account impersonation (source) :
gcloud iam workload-identity-pools create-cred-config \
projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \
--credential-source-file=/var/run/service-account/token \
--credential-source-type=text \
--output-file=credential-configuration.json
If I'm not mistaken, the produced JSON file may be used as a TokenSourceType::Json, but I would be lacking the refresh automation, as the command given above should be ran again before token expiration.
I planned on writing a custom Source for this use-case, but that would probably benefit the project.
Do you have ideas about how things should be implemented ? Like, creating a new variant of TokenSourceType ?
Should I create another issue ?
Thanks for reading !
Hi,
Your use case seems already covered in my implementation: https://github.com/abdolence/gcloud-sdk-rs/blob/5b8ef6a2b07f8792de1faf7c2fb62154ee12c391/gcloud-sdk/src/token_source/ext_creds_source/mod.rs#L11
AWS is a special one since it requires to implement complex interaction with AWS. Yours looks like just a file and it should work. GitHub has similar integration and it works even in this repo.
In theory you shouldn't write anything and can use the crate out of box. It should handle workload identity in kubernetes automatically (just make sure it is enabled in GKE).
Thanks for quick reply !
Indeed, looks like it is already covered, but in the above gcloud command example, I'm using the Kubernetes ServiceAccount token file, that just contains a JWT. So I'm guessing I should provide another file that contains all the other parameters, but what is its format ? Or maybe export some env var that will hint the crate about what to use ?
If I'm not mistaken, with what's done in the crate, I should just have to provide it :
- SA token file path
- WorkloadIdentityPoolProviderId
I probably have missed something, sorry for asking
Oh, right, you don't have metadata server and stuff available I guess? Is it some kind of self hosted Kubernetes? Let me investigate available options and come back to you.
I think I found something : https://cloud.google.com/iam/docs/workload-download-cred-and-grant-access
What it produces :
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<WIP_ID>/providers/<WIPP_ID>",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/run/secrets/kubernetes.io/serviceaccount/token",
"format": {
"type": "text"
}
}
}
I guess I just have to format the file for my need and reference it with FileBased using JSON format.
I'll try that and let you know.
EDIT : And I think I can even use the GOOGLE_APPLICATION_CREDENTIALS default variable pointing to that file, to let the crate auto-discover the method,
EDIT 2 : I confirm it works with GOOGLE_APPLICATION_CREDENTIALS pointing to the above file. Thanks !
Yeah, this should work. I was trying to find a similar example, glad you have already found it.
One thing worth to mention about that file, please consider it also as a sensitive file so nobody can modify it. It doesn't have token, but it has sensitive settings, so if a malicious actor can modify it, it can extract token values to specified location (for example, to some unexpected HTTP URL).