Support workload identity federation
Opened this issue · 1 comments
Describe the problem you are trying to solve:
We would like to use Workload Identity Federation for all of our access to Google services from AWS. We've successfully enabled this for other services like BigQuery, but it does not appear to be supported by the google-ads-python library.
Describe the solution you'd like:
We'd like to see GoogleAdsClient accept a google.auth.Credentials object from the google-auth library, with full support for an external workload credential.
Describe alternatives you've considered:
We have an integration with Google Ads API working using the existing OAuth flow, but the toil of dealing with secrets management is undesirable, and it makes this integration a special case compared to all the Google services that do support workload identity federation. Workload identity federation is the auth approach that Google itself recommends, so this library should support it.
Additional context:
@patrickvinograd you're right that this isn't a formally supported auth workflow, but you should be able to make it work by manually instantiating the GoogleAdsClient class, instead of using one of the initialization methods, for example load_from_storage. Here's an example:
from google.ads.googleads.client import GoogleAdsClient
client = GoogleAdsClient(
credentials=Credentials # Credentials initialized by you
developer_token=....
...
)Let me know if that's a viable workaround.