Support for workload identity federation

Question

Support for workload identity federation

IvanUkhov opened this issue 2 years ago · 3 comments

Thank you very much for this handy crate! I am wondering what would it take to add support for workload identity federation. According to the documentation, GOOGLE_APPLICATION_CREDENTIALS used in ApplicationDefaultCredentialsAuthenticator can point at such a file instead of a file with a service account key.

Answer 1 · 2023-03-29T16:58:13.000Z

Thank you for the kind words! Unfortunately, by asking this question you already show that you know much more about this type of authentication than I do :-) Reading the docs didn't help a lot either (on first glance), as I am not very familiar with the specific feature or environments where one might use it.

However, may I suggest that you (if you have the time for it) explore the source code of yup-oauth2 a bit? Maybe you find a simple way to integrate this into the existing framework, in which case I'll happily take a PR. (at which point I hopefully know a bit more about this type of authentication)

Answer 2 · 2023-06-07T14:36:48.000Z

For inspiration, it is implemented here:

https://github.com/yoshidan/google-cloud-rust/tree/main/foundation/auth

One, however, would have to dig deeper and understand what is what.

Answer 3 · 2023-06-07T14:56:02.000Z

Workload Identity is currently the recommended authentication mechanism on Google Kubernetes Engine:

https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#alternatives_to