googleapis
Add support for Workload Identity Federation
Background
Currently, the auth library supports three authentication methods:
- User credentials (authorized_user)
- Service account key credentials (service_account)
- Metadata service credentials (for GCE/GKE)
However, it lacks support for Workload Identity Federation, which is Google Cloud's recommended way to access Google Cloud resources from non-Google Cloud environments (Github Actions, AWS, Azure, etc.) without using service account keys.
Proposed Changes
Add support for Workload Identity Federation by:
-
Implementing external account credentials:
- Add support for
type: "external_account"in ADC files - Implement STS (Security Token Service) token exchange
- Support credential source configurations for different providers
- Add support for
-
Supporting some providers:
- Generic OIDC provider
- AWS
- Azure
Example Configuration
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url":"https://sts.googleapis.com/v1/token",
"credential_source": {
"url": "***",
"headers": {"Authorization":"***"},
"format":{"type":"json","subject_token_field_name":"value"}
},
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken"
}
However, it lacks support for Workload Identity Federation, which is Google Cloud's recommended way to access Google Cloud resources from non-Google Cloud environments (Github Actions, AWS, Azure, etc.) without using service account keys.
We are aware and it is part of our roadmap. Unfortunately, we are not at liberty of sharing timelines.
