google-auth-library-nodejs icon indicating copy to clipboard operation
google-auth-library-nodejs copied to clipboard

Published 20 hours ago • verified publisher icon googleapis

ID token with workload identity federation

Open jalbinge opened this issue 3 years ago • 11 comments

Hello togehter,

I want to access an GCP Cloud Endpoint with workload identity federation from AWS. I have a generated impersonated key file and your first example with list buckets worked well.

For Cloud endpoints and gRPC there is the need to use GOOGLE_ID_TOKEN instead of ACCESS_TOKENS.

My code looks like this. I used the getIdTokenClient function.

`

async function main() {
const url = "https://my-cloud-endpoint-url-endpoint-pimf6a67fa-ew.a.run.app/v1/status"

const auth = new GoogleAuth({
    keyFile: process.env.GOOGLE_APPLICATION_CREDENTIALS,
    scopes: 'https://www.googleapis.com/auth/cloud-platform',
    projectId: 'my-project',
});
const targetAudience = "this-is-my-target-audience"
const client = await auth.getIdTokenClient(targetAudience);

const res = await client.request({ url });
console.log(res.data); }

`

The error message is:

Error: Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to a service account credentials JSON file. at GoogleAuth.getIdTokenClient

The problem is that I have an access token. In my case I need an ID Token. I was wondering if there is a possibility to get an ID Token before I request my endpoint.

( It works in python: Python google.auth has an impersonated_credentials object with an ID Token functionality.

creds = impersonated_credentials.IDTokenCredentials( target_creds, target_audience=audience, include_email=True )

Anyway, I need a solution for nodeJs.

Thanks

jalbinge avatar Jun 23 '21 16:06 jalbinge

@jalbinge the person who implemented this feature is currently away for a few days, I'll loop them in regarding your question as soon as they're back.

bcoe avatar Jun 24 '21 20:06 bcoe

Is there any workaround for this? I'm also facing same error.

sagar86kc avatar Dec 03 '21 08:12 sagar86kc

@bojeil-google any thoughts on this one, or is there someone we can point folks towards?

bcoe avatar Dec 21 '21 17:12 bcoe

@xil222 could you help out with this one? Is this a known limitation of the current workload identity implementation?

bcoe avatar Dec 28 '21 15:12 bcoe

Hey there, be aware that I am not very familiar with nodeJs, but here is an example code which worked for me:

// Make a request to a protected Cloud Run service.
const {GoogleAuth} = require('google-auth-library');
const https = require('https')
const axios = require('axios');
async function getGcpIdToken(access_token) {
    const data = JSON.stringify(
        {
            "audience": "https://your-audience-endpoint-pimf6a67fa-ew.a.run.app",
            "includeEmail": "true"
        }
    )
   return await axios({
            method: 'post',
            url: 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/account-id.iam.gserviceaccount.com:generateIdToken',
            data: data,
            headers: {
                'Content-Type': 'application/json',
                'Content-Length': data.length,
                'Authorization': `Bearer ${access_token}`
            }
        }) .then( (result) => {
        return result.data.token;
    });
}
async function getStatus(id_token){
    axios({
            method: 'get',
            url: 'https://your-endpoint-url',
            headers: {
                'Content-Type': 'application/json',
                'Authorization': `Bearer ${id_token}`
            }
        }
    ) .then( (result) => {
        console.log(result)
        return result;
    });
}
async function main() {
    const url = "https://your-endpoint-url"
    const auth = new GoogleAuth(
        { scopes: 'https://www.googleapis.com/auth/cloud-platform' }
    )
    const client = await auth.getClient();
    const access_token = (await client.getAccessToken()).token
    getGcpIdToken(access_token).then((id_token)=>getStatus(id_token))
}
main().catch(console.error);

jalbinge avatar Jan 03 '22 08:01 jalbinge

Hey @jalbinge this looks like a duplicate feature request of https://github.com/googleapis/google-auth-library-nodejs/issues/1305 I didn't dive into the details of the provided snippet but it looks like it should work.

bojeil-google avatar Jan 05 '22 02:01 bojeil-google

@bojeil-google let me know if you can pitch in here, worst case can have someone on our team start ramping up on WIF.

bcoe avatar Jan 07 '22 17:01 bcoe

@bojeil-google let me know if you can pitch in here, worst case can have someone on our team start ramping up on WIF.

Hey @bcoe, I mentioned above that this looks like a duplicate of the other issue. @xil222 is no longer on the team. I can hold on this or the duplicate issue until we can find the right owner for it.

bojeil-google avatar Jan 10 '22 18:01 bojeil-google

@bojeil-google there seems to be some variation in the environment and nuance of two issues. Shall we keep both open for now, even if the same documentation or implementation work addresses both?

bcoe avatar Jan 13 '22 15:01 bcoe

@bojeil-google there seems to be some variation in the environment and nuance of two issues. Shall we keep both open for now, even if the same documentation or implementation work addresses both?

Ok, sounds good @bcoe. Let's keep both open.

bojeil-google avatar Jan 13 '22 17:01 bojeil-google

Any further development to the issue. Or do we still need to do the workaround and manually get the token for an impersonated service account

DeepikaJTW avatar Jun 08 '23 09:06 DeepikaJTW