feat: Possible support for Workload Identity Federation in GCP
Parent5446 opened this issue · 2 comments
Is your feature request related to a problem? Please describe.
The Lambda function that's run on AWS requires JSON credentials for a GCP service account, which includes a non-rotatable secret key, and through which has broad access to all gSuite user data.
Describe the solution you'd like
GCP has a feature Workload Identity Federation (AWS instructions), which allows AWS to use OAuth to obtain short-lived credentials for impersonating a service account. Rather than having a JSON file with a secret key, instead you only need a JSON file with non-secret information, and everything else is configured in GCP via an identity pool.
Describe alternatives you've considered
The alternative here is just to use service account credentials, which just requires being a bit more careful.
Additional context
According to the AWS instructions, the primary requirement seems to be that golang.org/x/oauth2 must be version v0.0.0-20210218202405-ba52d332ba99 or later. Beyond that, there just needs to be a way to assign an AWS IAM Role to the executing function so that it has a role it can assert during the credential exchange.
@Parent5446 this looks like a good feature, let's me see how we can implement it.
I will focus in this feature to see of this is possible for next release v0.0.15