google-cloud-rust icon indicating copy to clipboard operation
google-cloud-rust copied to clipboard

Published 20 hours ago verified publisher icon yoshidan

support Workload Identity Federation

Open danburkert opened this issue 1 year ago • 7 comments

Hi, I have GitHub Action CI workloads which authenticate to GCP using 'Workload Identity Federation through a Service Account' following the configuration in the linked google-authored action.

I have enabled the external-account feature in google-cloud-auth.

When using google-cloud-storage in this CI environment authentication fails with Error: external account error : Unsupported Subject Token Source.

I believe this is expected behavior based on a TODO in the codebase: https://github.com/yoshidan/google-cloud-rust/blob/main/foundation/auth/src/token_source/external_account_source/mod.rs#L107-L108, but I wanted to file an issue to track progress and see if there are any workarounds, particularly in a GitHub Actions environment.

danburkert avatar Feb 16 '24 15:02 danburkert

This is possibly a dupe of #171, but I couldn't tell for sure.

danburkert avatar Feb 16 '24 16:02 danburkert

Currently we only support AWS for workload identity federation.

I have not yet investigated the details of how to work with github actions, but referring to the Go source, the credential source should be either FILE, URL, or Executable in this case.

https://github.com/golang/oauth2/blob/ebe81ad83719fe3426335b22e40a1e3a76fa45c0/google/internal/externalaccount/basecredentials.go#L147

I will check what the credential source will actually be.

yoshidan avatar Feb 20 '24 14:02 yoshidan

I've run into the same issue and am currently investigating it. Seems the credential source is URL type. Here's the credential I got on GitHub Actions (partially masked) 👇

{"type":"external_account","audience":"//iam.googleapis.com/***","subject_token_type":"urn:ietf:params:oauth:token-type:jwt","token_url":"https://sts.googleapis.com/v1/token","credential_source":{"url":"***","headers":{"Authorization":"***"},"format":{"type":"json","subject_token_field_name":"value"}},"service_account_impersonation_url":"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken"}

As far as I've investigated the URL type implementation in Go, it does not seem to be that complicated: https://github.com/golang/oauth2/blob/ebe81ad83719fe3426335b22e40a1e3a76fa45c0/google/internal/externalaccount/urlcredsource.go

moricho avatar Mar 06 '24 14:03 moricho

I see this was merged a couple of weeks ago. Any chance you'll publish a new release with it soon?

theoribeiro avatar Mar 20 '24 23:03 theoribeiro

@theoribeiro Now I published google-cloud-auth v0.13.2

yoshidan avatar Mar 24 '24 12:03 yoshidan

Unfortunately I'm still getting unsupported account external_account when using Workload Identity Federation on Github Actions. Any idea why?

theoribeiro avatar Apr 03 '24 21:04 theoribeiro

Ah, never mind! This is behind a feature gate that I didn't know. I added external-account and it's now solved and working in the CI.

theoribeiro avatar Apr 05 '24 14:04 theoribeiro