google-auth-library-nodejs icon indicating copy to clipboard operation
google-auth-library-nodejs copied to clipboard

Published 20 hours ago • verified publisher icon googleapis

Programatic OIDC WIF

Open duffenterprises opened this issue 2 years ago • 2 comments

In the documentation provided here the suggestion is to eventually drop down to a gcloud command to

generate the configuration file in the specified output file

This seems at least in spirit against the objective of keyless access to GCP since a file now exists that can subsequently be used for access.

Our use case is generating short term credentials via our on-premise OIDC provider and then performing a GCP operation (e.g. move a file to a bucket).

In discussions with @sethvargo in this issue it was suggested @bcoe might be in a position to help/explain. While we can certainly fork to do this all programmatically as described in the issue, I'm trying to understand the teams thinking.

duffenterprises avatar Jun 16 '22 14:06 duffenterprises

@aeitzma, is there anyone on the auth team who might be able to field @duffenterprises' question.

bcoe avatar Jun 20 '22 18:06 bcoe

@duffenterprises Can you elaborate on what you mean by “a file now exists that can subsequently be used for access”? The generated ADC file itself doesn’t have keys that could be used for access (when setup for OIDC workload pools), it contains either a path to a file with a key, or a url that could be used to access your on premise OIDC provider to get a token. If you want to achieve the same thing without the ADC file, it is possible to just create an instance of GoogleAuth and pass the JSON input that would have been pulled from the ADC config directly in the code like so:

const oidc_credentials = {
  "type": "external_account",
  "audience": "//iam.google.apis.com/projects/{PROJECT_NUMBER}/locations/global/workloadIdentityPools/{POOL_ID}/providers/{OIDC_PROVIDER_ID}",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "url": "{URL_TO_GET_OIDC_TOKEN}",
    "headers": {
      "{HEADER_KEY}": "{HEADER_VALUE}"
    }
  },
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}:generateAccessToken",
}

const auth = new GoogleAuth({
  credentials: oidc_credentials,
  scopes: 'https://www.googleapis.com/auth/cloud-platform',
});
const client = await auth.getClient();

This still limits you to using either a token stored in a file or one retrieved from a local GET endpoint, so if you want to retrieve the token in a different way you will have to fork and implement that since we don’t currently support other methods.

aeitzman avatar Jun 28 '22 18:06 aeitzman