How can I authenticate using Workload identity federation?

[MrPhantomT]

Hello, I'm trying to authenticate access to Google Drive from my AWS EC2 instance using Workload Identity Federation, but unfortunately can't figure how to do it.

Is that library support such authentication? Any plans to support it?

Thanks.

[quartzmo]

@MrPhantomT In your EC2 instance, will you obtain a short-lived OAuth 2.0 access token as described in Workload Identity Federation - Service account impersonation? If so, I recently added minimal support for using a token that is obtained externally in v1.1.0. Usage example is shown in issue #346. Will that work for you? If not, we can investigate how to support the entire flow.

[MrPhantomT]

@quartzmo No, I don't have any short-lived token.

Basically I have tried to follow that guide trying to allow usage of Google Drive API from AWS EC2 instance that has specific role assigned without obtaining.

Thanks.

[quartzmo]

Is this the relevant part of the guide?

To allow the use of AWS security credentials, you must configure the workload identity pool to trust your AWS account. Security credentials tokens issued for this AWS account are then recognized by workload identity federation, and you can use the tokens to obtain short-lived service account credentials.

[MrPhantomT]

Yes, but in implementation of that library for other languages like python, node it's looks like all steps(parsing of configuration.json file, obtaining of AWS security token) done inside.

[quartzmo]

If it's not too much trouble, can you link to where its done in Python and Node?

[MrPhantomT]

The next section in the documentation of Node library describes usage: Using External Identities
I have tracked code up to the next file where all obtaining logic implemented.

I have a little bit troubles with python but I guess this file implement all logic and I guess this part of documentation cover it.

[quartzmo]

Thank you for these links, that is very helpful. It sounds like you would like to see equivalent feature support in this library?

[MrPhantomT]

Yes, it would be great.

[hermanbanken]

If we use https://github.com/google-github-actions/auth today with this library (via Fastlane) we get an error:

missing client_email

which is thrown here:

google-auth-library-ruby/lib/googleauth/json_key_reader.rb

Line 28 in 9d7051c

json_key["client_email"],

The JSON Key generated by https://github.com/google-github-actions/auth has this format:

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/default/providers/github",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
  "credential_source":
    {
      "url": "https://pipelines.actions.githubusercontent.com/some-long-path/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2F1234567890%2Flocations%2Fglobal%2FworkloadIdentityPools%2Fdefault%2Fproviders%2Fgithub",
      "headers": { "Authorization": "***" },
      "format": { "type": "json", "subject_token_field_name": "value" },
    },
}

So no client_email is present. I think this library should add support for this format, just like all the other Google Auth libraries, which gained support in begin of last year:

• feat!: workload identity federation support google-auth-library-nodejs#1131
• feat: workload identity federation support google-auth-library-python#698
• feat: add workload identity federation support google-auth-library-java#547

[hermanbanken]

Note that libraries like https://github.com/google-github-actions/auth can also generate the OAuth Access Token, so in principal there is no need to understand the external_account JSON Key format for most use cases, as long as a pre-populated OAuth Access Token could be used.

[rbclark]

Is this still on the table to be implemented and is there a timeline? I'd really like to leverage Workload Identity Federation however this library lacking support is a bit of a blocker to that since the upstream tools I am leveraging use this library directly.

I currently am trying to use a external_account.json to connect but am receiving the error:

Unable to read the credential file specified by GOOGLE_APPLICATION_CREDENTIALS: credentials type 'external_account' is not supported

This error is coming from https://github.com/googleapis/google-auth-library-ruby/blob/main/lib/googleauth/default_credentials.rb#L57 which makes sense since the library has not yet implemented it.

[hermanbanken]

@quartzmo do you know if this is a topic that this library is accepting contributions for?

(I'm not comfortable with Ruby, but others in this thread might be more equipped to contribute. Just want to move this thread/feature forward.)

[rbclark]

@quartzmo I am quite comfortable with Ruby and would be willing to take a stab at this if it is something the library would entertain merging.

[corytheboyd-smartsheet]

Just throwing in my "this would be really really really nice to have in the Ruby SDK". Workload identity federation is going to be huge for us, as we are very multi-cloud with primary services hosted on GCP. Huge thanks to @rbclark for taking one for the team running the PR 😄

[shivgautam]

Hi, The team is working on it and will post an update soon. We don't have an ETA but it is being actively worked upon and should be ready soon. Thank you all for your patience.

[w32-blaster]

We are trying to use the newly released library with workload identity federation to GCP and seeing the following problem:
When authenticating from an EC2 instance this works now great with the version 1.5.0 (#418)

The problem is when a workload is running on an EKS cluster with irsa, the normal authentication flow through the metadata service does not work, so WIF can be only used with generic OIDC provider. In this case the subject_token_type and the whole configuration looks different:

"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "file": "/var/run/secrets/eks.amazonaws.com/serviceaccount/token",
    "format": {
      "type": "text"
    }
  }

It would be great to support the EKS service accounts as well, and not just EC2 and metadata provided token based auth.

Let me know if that should go to a different feature request.

[kyokyokyo0217]

Hello, I also have some questions about using Workload Identity Federation with Service Account Impersonation.

I am trying to access Cloud Run on GCP from an EC2 instance on AWS. According to this, we have to call generateIdToken instead of generateAccessToken to generate a short-lived token.

Here are my questions:

• In cases like the above, can I use Google::Auth::ExternalAccount::Credentials module?

• If so, assuming to add a field like service_account_impersonation_url and set value likehttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateIdToken to the configuration file for impersonation? It seemed that the make_creds method only considered json_key_io and scope here .

Thanks!