James Gunn

Thanks >You just need to obtaing the subject token differently, right? So, you should be able to extend ExternalAccountCredential and implement [GetSubjectTokenAsyncImpl](https://github.com/googleapis/google-api-dotnet-client/blob/3ad20d2fbe0cbe471455e948f2658530ea9d5e32/Src/Support/Google.Apis.Auth/OAuth2/ExternalAccountCredential.cs#L272)? The only thing we'd need to make protected...

@amanda-tarafa yes it’s the former.

@amanda-tarafa we've set that up already (largely following the guide at https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster) but couldn't get file-sourced credentials to work.

I've tried this config: ```json { "type": "external_account", "audience": "//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/", "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/@get-an-identity.iam.gserviceaccount.com:generateAccessToken", "credential_source": { "url": "https://login.microsoftonline.com//oauth2/v2.0/token?api-version=2018-02-01&resource=api://a1039720-f1aa-4d81-9996-b305299bf0ce", "headers": { "Metadata": "True" }, "format": { "type": "json", "subject_token_field_name":...

I suspect the MS token request is failing as there's no way to provide the contents of the `AZURE_FEDERATED_TOKEN_FILE` environment variable.

>can use the token in AZURE_FEDERATED_TOKEN_FILE directly, so you'd put that path on the file-sourced credential configuration Using that token directly with the `https://sts.googleapis.com/v1/token` endpoint doesn't work; it first needs...