google-auth-library-nodejs
google-auth-library-nodejs copied to clipboard
ID token with workload identity federation
Hello togehter,
I want to access an GCP Cloud Endpoint with workload identity federation from AWS. I have a generated impersonated key file and your first example with list buckets worked well.
For Cloud endpoints and gRPC there is the need to use GOOGLE_ID_TOKEN instead of ACCESS_TOKENS.
My code looks like this. I used the getIdTokenClient function.
`
async function main() {
const url = "https://my-cloud-endpoint-url-endpoint-pimf6a67fa-ew.a.run.app/v1/status"
const auth = new GoogleAuth({
keyFile: process.env.GOOGLE_APPLICATION_CREDENTIALS,
scopes: 'https://www.googleapis.com/auth/cloud-platform',
projectId: 'my-project',
});
const targetAudience = "this-is-my-target-audience"
const client = await auth.getIdTokenClient(targetAudience);
const res = await client.request({ url });
console.log(res.data); }
`
The error message is:
Error: Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to a service account credentials JSON file. at GoogleAuth.getIdTokenClient
The problem is that I have an access token. In my case I need an ID Token. I was wondering if there is a possibility to get an ID Token before I request my endpoint.
( It works in python: Python google.auth has an impersonated_credentials object with an ID Token functionality.
creds = impersonated_credentials.IDTokenCredentials( target_creds, target_audience=audience, include_email=True )
Anyway, I need a solution for nodeJs.
Thanks
@jalbinge the person who implemented this feature is currently away for a few days, I'll loop them in regarding your question as soon as they're back.
Is there any workaround for this? I'm also facing same error.
@bojeil-google any thoughts on this one, or is there someone we can point folks towards?
@xil222 could you help out with this one? Is this a known limitation of the current workload identity implementation?
Hey there, be aware that I am not very familiar with nodeJs, but here is an example code which worked for me:
// Make a request to a protected Cloud Run service.
const {GoogleAuth} = require('google-auth-library');
const https = require('https')
const axios = require('axios');
async function getGcpIdToken(access_token) {
const data = JSON.stringify(
{
"audience": "https://your-audience-endpoint-pimf6a67fa-ew.a.run.app",
"includeEmail": "true"
}
)
return await axios({
method: 'post',
url: 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/account-id.iam.gserviceaccount.com:generateIdToken',
data: data,
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
'Authorization': `Bearer ${access_token}`
}
}) .then( (result) => {
return result.data.token;
});
}
async function getStatus(id_token){
axios({
method: 'get',
url: 'https://your-endpoint-url',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${id_token}`
}
}
) .then( (result) => {
console.log(result)
return result;
});
}
async function main() {
const url = "https://your-endpoint-url"
const auth = new GoogleAuth(
{ scopes: 'https://www.googleapis.com/auth/cloud-platform' }
)
const client = await auth.getClient();
const access_token = (await client.getAccessToken()).token
getGcpIdToken(access_token).then((id_token)=>getStatus(id_token))
}
main().catch(console.error);
Hey @jalbinge this looks like a duplicate feature request of https://github.com/googleapis/google-auth-library-nodejs/issues/1305 I didn't dive into the details of the provided snippet but it looks like it should work.
@bojeil-google let me know if you can pitch in here, worst case can have someone on our team start ramping up on WIF.
@bojeil-google let me know if you can pitch in here, worst case can have someone on our team start ramping up on WIF.
Hey @bcoe, I mentioned above that this looks like a duplicate of the other issue. @xil222 is no longer on the team. I can hold on this or the duplicate issue until we can find the right owner for it.
@bojeil-google there seems to be some variation in the environment and nuance of two issues. Shall we keep both open for now, even if the same documentation or implementation work addresses both?
@bojeil-google there seems to be some variation in the environment and nuance of two issues. Shall we keep both open for now, even if the same documentation or implementation work addresses both?
Ok, sounds good @bcoe. Let's keep both open.
Any further development to the issue. Or do we still need to do the workaround and manually get the token for an impersonated service account