Add workload identity federation support for ecs tasks

[jaimemasson]

would like to be able to use workload identity federation on ecs tasks like ec2 instances.

[bshaffer]

Hello @jaimemasson! We already have support for Workload Identity Federation! Check out the README here and let us know if you run into any problems:

https://github.com/googleapis/google-auth-library-php#external-credentials-workload-identity-federation

[jaimemasson]

@bshaffer this seems to only work for aws on ec2 instances but as far as i can tell ecs services(tasks) use different endpoints to assume a role and therefore this method as mentioned doesn't work. From what i can tell this should probably be handled with an update both on the downloaded credentials side and the library side but potentially handled just on the library side with some documentation. If i am mistaken and this works with ecs containers any guidance would be welcome.

[bshaffer]

I only tested on EC2 instances.

@aeitzman do you know if WIF is supported for ECS Tasks?

[jaimemasson]

@bshaffer i'm pretty sure it doesn't support ecs as ec2 uses a static endpoint to retrieve cred metadata, whereas ecs tasks have a variable cred metadata endpoint set in an ENV variable

[bshaffer]

@jaimemasson I'll get in touch with our team and see what we can do. I am also open to merging a PR if you feel like submitting support for this feature!

[bshaffer]

@jaimemasson So the response here is that we don't currently support WIF for ECS Tasks natively in any of the googlea auth libraries. We did add support recently in some of the libraries for users to inject their own logic to retrieve AWS security credentials, but there's no native support in the "external account credentials file" as of yet. Its in the backlog to add eventually, but no timeline right now.