support Workload Identity Federation

Question

support Workload Identity Federation

danburkert opened this issue 8 months ago · 7 comments

Hi, I have GitHub Action CI workloads which authenticate to GCP using 'Workload Identity Federation through a Service Account' following the configuration in the linked google-authored action.

I have enabled the external-account feature in google-cloud-auth.

When using google-cloud-storage in this CI environment authentication fails with Error: external account error : Unsupported Subject Token Source.

I believe this is expected behavior based on a TODO in the codebase: https://github.com/yoshidan/google-cloud-rust/blob/main/foundation/auth/src/token_source/external_account_source/mod.rs#L107-L108, but I wanted to file an issue to track progress and see if there are any workarounds, particularly in a GitHub Actions environment.

Answer 1 · 2024-02-16T16:00:07.000Z

This is possibly a dupe of #171, but I couldn't tell for sure.

Answer 2 · 2024-02-20T14:18:38.000Z

Currently we only support AWS for workload identity federation.

I have not yet investigated the details of how to work with github actions, but referring to the Go source, the credential source should be either FILE, URL, or Executable in this case.

https://github.com/golang/oauth2/blob/ebe81ad83719fe3426335b22e40a1e3a76fa45c0/google/internal/externalaccount/basecredentials.go#L147

I will check what the credential source will actually be.

Answer 3 · 2024-03-06T14:41:52.000Z

I've run into the same issue and am currently investigating it.
Seems the credential source is URL type. Here's the credential I got on GitHub Actions (partially masked) 👇

{"type":"external_account","audience":"//iam.googleapis.com/***","subject_token_type":"urn:ietf:params:oauth:token-type:jwt","token_url":"https://sts.googleapis.com/v1/token","credential_source":{"url":"***","headers":{"Authorization":"***"},"format":{"type":"json","subject_token_field_name":"value"}},"service_account_impersonation_url":"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken"}

As far as I've investigated the URL type implementation in Go, it does not seem to be that complicated:
https://github.com/golang/oauth2/blob/ebe81ad83719fe3426335b22e40a1e3a76fa45c0/google/internal/externalaccount/urlcredsource.go

Answer 4 · 2024-03-20T23:38:01.000Z

I see this was merged a couple of weeks ago. Any chance you'll publish a new release with it soon?

Answer 5 · 2024-03-24T12:49:43.000Z

@theoribeiro Now I published google-cloud-auth v0.13.2

Answer 6 · 2024-04-03T21:43:14.000Z

Unfortunately I'm still getting unsupported account external_account when using Workload Identity Federation on Github Actions. Any idea why?

Answer 7 · 2024-04-05T14:57:46.000Z

Ah, never mind! This is behind a feature gate that I didn't know. I added external-account and it's now solved and working in the CI.