google-auth-library-python icon indicating copy to clipboard operation
google-auth-library-python copied to clipboard

Published 20 hours ago verified publisher icon googleapis

AWS Workload Identity Federation

Open ntang86 opened this issue 2 years ago • 2 comments

Hey, do you have some documentation on how to use this lib with AWS and Workload Identity Federation?

The code below is given me the following error

cred = aws.Credentials.from_file("./work-identify-pool.json")
request = google.auth.transport.requests.Request()
aws_cred = cred.refresh(request)

{
  "errorMessage": "('Unable to acquire impersonated credentials', '{\\n  \"error\": {\\n    \"code\": 400,\\n    \"message\": \"Request contains an invalid argument.\",\\n    \"status\": \"INVALID_ARGUMENT\"\\n  }\\n}\\n')",
  "errorType": "RefreshError",
  "requestId": "",
  "stackTrace": [
    "  File \"/var/lang/lib/python3.10/importlib/__init__.py\", line 126, in import_module\n    return _bootstrap._gcd_import(name[level:], package, level)\n",
    "  File \"<frozen importlib._bootstrap>\", line 1050, in _gcd_import\n",
    "  File \"<frozen importlib._bootstrap>\", line 1027, in _find_and_load\n",
    "  File \"<frozen importlib._bootstrap>\", line 1006, in _find_and_load_unlocked\n",
    "  File \"<frozen importlib._bootstrap>\", line 688, in _load_unlocked\n",
    "  File \"<frozen importlib._bootstrap_external>\", line 883, in exec_module\n",
    "  File \"<frozen importlib._bootstrap>\", line 241, in _call_with_frames_removed\n",
    "  File \"/var/task/main.py\", line 20, in <module>\n    aws_cred = cred.refresh(request)\n",
    "  File \"/var/task/google/auth/external_account.py\", line 360, in refresh\n    self._impersonated_credentials.refresh(request)\n",
    "  File \"/var/task/google/auth/impersonated_credentials.py\", line 247, in refresh\n    self._update_token(request)\n",
    "  File \"/var/task/google/auth/impersonated_credentials.py\", line 276, in _update_token\n    self.token, self.expiry = _make_iam_token_request(\n",
    "  File \"/var/task/google/auth/impersonated_credentials.py\", line 104, in _make_iam_token_request\n    raise exceptions.RefreshError(_REFRESH_ERROR, response_body)\n"
  ]
}

ntang86 avatar Jul 07 '23 21:07 ntang86

It's covered in the user guide here. Are you using EC2? What you've provided is not enough for us to help. If you provide more info (e.g. the config you're using, the request that was made), @BigTailWolf can help out.

lsirac avatar Jul 11 '23 21:07 lsirac

Hi, for some context, I'm using Lambda to send request to CloudRun instance. So I can't use the client libraries.

Not sure how "attribute mapping and condition" works in my case, what's the different elements we have to set up on AWS? I'm a bit confused, I had some trouble to follow the guide "Authenticate a workload using the REST API". It would be great to have a working example on how to setup REST request from lambda.

Thank you

ntang86 avatar Jul 12 '23 15:07 ntang86