google-auth-library-nodejs
google-auth-library-nodejs copied to clipboard
Programatic OIDC WIF
In the documentation provided here the suggestion is to eventually drop down to a gcloud
command to
generate the configuration file in the specified output file
This seems at least in spirit against the objective of keyless access to GCP since a file now exists that can subsequently be used for access.
Our use case is generating short term credentials via our on-premise OIDC provider and then performing a GCP operation (e.g. move a file to a bucket).
In discussions with @sethvargo in this issue it was suggested @bcoe might be in a position to help/explain. While we can certainly fork to do this all programmatically
as described in the issue, I'm trying to understand the teams thinking.
@aeitzma, is there anyone on the auth team who might be able to field @duffenterprises' question.
@duffenterprises Can you elaborate on what you mean by “a file now exists that can subsequently be used for access”? The generated ADC file itself doesn’t have keys that could be used for access (when setup for OIDC workload pools), it contains either a path to a file with a key, or a url that could be used to access your on premise OIDC provider to get a token. If you want to achieve the same thing without the ADC file, it is possible to just create an instance of GoogleAuth and pass the JSON input that would have been pulled from the ADC config directly in the code like so:
const oidc_credentials = {
"type": "external_account",
"audience": "//iam.google.apis.com/projects/{PROJECT_NUMBER}/locations/global/workloadIdentityPools/{POOL_ID}/providers/{OIDC_PROVIDER_ID}",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"url": "{URL_TO_GET_OIDC_TOKEN}",
"headers": {
"{HEADER_KEY}": "{HEADER_VALUE}"
}
},
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}:generateAccessToken",
}
const auth = new GoogleAuth({
credentials: oidc_credentials,
scopes: 'https://www.googleapis.com/auth/cloud-platform',
});
const client = await auth.getClient();
This still limits you to using either a token stored in a file or one retrieved from a local GET endpoint, so if you want to retrieve the token in a different way you will have to fork and implement that since we don’t currently support other methods.