durch/rust-goauth

Support for external_account type

Opened this issue · 0 comments

dronenb commented

Is your feature request related to a problem? Please describe.

Without Workload Identity, the type of the credentials file is service_account. These credentials include a private RSA key, in the private_key field, to be able to authenticate to gcp. This private key needs to be kept secure and is most often not rotated.

{
   "type": "service_account",
   "project_id": "test-project",
   "private_key_id": "123absc5678993dabd942adf0ff0812c789f",
   "private_key": "<private_key>",
   "client_email": "test-email@test-project.iam.gserviceaccount.com",
   "client_id": "1006844567890123456789",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
   "token_uri": "https://oauth2.googleapis.com/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-email@test-project.iam.gserviceaccount.com"
}

Describe the solution you'd like

With Workload Identity, the type of the credentials is external_account, and the audience is the target audience which is the workload identity provider. The service_account_impersonation_url key contains the resource url of the service account that can be impersonated with these credentials. credentials_source.file is the path to the oidc token, which is exchanged for a google access token. The oidc token is then rotated every hour and thus credentials are short lived.

{
   "type": "external_account",
   "audience": "//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
   "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
   "token_url": "https://sts.googleapis.com/v1/token",
   "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test-service-account@test-project.iam.gserviceaccount.com:generateAccessToken",
   "credential_source": {
      "file": "/path/to/oidc/token",
      "format": {
         "type": "text"
      }
   }
}

Describe alternatives you've considered

NA

Additional context