inspec-gcp icon indicating copy to clipboard operation
inspec-gcp copied to clipboard
verified publisher icon inspec

Support Workload Identity Federation authentication

Open sshcherbakov opened this issue 3 years ago • 8 comments

Support Workload Identity Federation authentication by upgrading googleauth dependency to the latest version 1.3.0.

At the moment the "external_account" type of the GOOGLE_APPLICATION_CREDENTIALS are not supported and hence the GitHub Actions using google-github-actions/auth cannot benefit from keyless workload identity federation authentication.

sshcherbakov avatar Nov 24 '22 00:11 sshcherbakov

I'm seeing the same issue

>>>>>> Unable to read the default credential file: credentials type 'external_account' is not supported

wyardley avatar Feb 03 '23 06:02 wyardley

@sshcherbakov doesn't look like googleauth is pinned (and there's no lockfile)?

https://github.com/inspec/inspec-gcp/blob/4638409e306af91880235b7454e1be02b481c25d/Gemfile#L7

Not sure how those get installed when the plugin gets vendored...

wyardley avatar Feb 03 '23 06:02 wyardley 

% bundle why googleauth
inspec-bin -> inspec -> train -> google-api-client -> googleauth
kitchen-inspec -> inspec -> train -> google-api-client -> googleauth
kitchen-terraform -> inspec -> train -> google-api-client -> googleauth
inspec-bin -> inspec -> train -> googleauth
kitchen-inspec -> inspec -> train -> googleauth
kitchen-terraform -> inspec -> train -> googleauth

So I think this actually needs to be handled here: https://github.com/inspec/train/issues/729

wyardley avatar Feb 04 '23 04:02 wyardley

So I am actually utilizing Workload Identity Federation with inspec-gcp now, however it is not super straightforward to do. In order to do it properly there are multiple dependencies that need to be updated. Specifically this PR needs to be merged before the train can be set in motion. With that in mind, it should be possible now if you are willing to run a version of google-auth-library-ruby that I have on a branch of mine with that PR ported in and the version artificially lowered: https://github.com/rbclark/google-auth-library-ruby/tree/add-external-account-credentials

As a note https://github.com/inspec/inspec-gcp/pull/415 and https://github.com/inspec/inspec-gcp/pull/416 were both PRs to fix workload identity federation compatibility so once an appropriate version of google-auth-library-ruby is supported then Workload Identity Federation will just start working.

rbclark avatar Feb 04 '23 05:02 rbclark

Specifically https://github.com/googleapis/google-auth-library-ruby/pull/414 needs to be merged before the train can be set in motion

Ah - thanks - I had seen that one and wondered if it was related (the AWS bit threw me a little). Will this work for other OIDC providers?

With that in mind, it should be possible now if you are willing to run a version of google-auth-library-ruby that I have on a branch of mine with that PR ported in

Thanks - I saw your comment about that; appreciate it. Since it's all via indirect dependencies, is there any trick to getting the forked version to override the version that bundler's getting?

I may just wait - the project I'm using it against doesn't have any real resources in it, so I can deal with using static credentials for a bit longer - just frustrating since test-kitchen / terraform work great already with OIDC.

wyardley avatar Feb 04 '23 05:02 wyardley

Ah - thanks - I had seen that one and wondered if it was related (the AWS bit threw me a little). Will this work for other OIDC providers?

I personally only needed AWS for my use case so when I put up the PR it only contained support for AWS. At this point my work has been rolled up into another PR and I am unsure if they added support for additional providers.

Thanks - I saw your comment about that; appreciate it. Since it's all via indirect dependencies, is there any trick to getting the forked version to override the version that bundler's getting?

The Gemfile in my root project looks like this:

source "https://rubygems.org"

gem "googleauth", github: "rbclark/google-auth-library-ruby", branch: "add-external-account-credentials"

source "https://packagecloud.io/cinc-project/stable" do
  gem "cinc-auditor-bin"
end

If I remember correctly that caused all of the inspec packages to also use the correct googleauth dependency (due to the version number I have set on that branch).

rbclark avatar Feb 06 '23 14:02 rbclark

Seems like https://github.com/googleapis/google-auth-library-ruby/pull/418 is now merged. Any further news, and is anyone working on adding support over here?

wyardley avatar Apr 27 '23 20:04 wyardley

#437

wyardley avatar Jul 04 '23 15:07 wyardley

We have implemented support for Workload Identity Federation authentication. This feature is now available after updating the googleauth GCP libraries in the train repository https://github.com/inspec/train/pull/767

balasubramanian-s avatar Aug 08 '24 13:08 balasubramanian-s