Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Workload Identity Federation #1345

Open
ntang86 opened this issue Jul 7, 2023 · 2 comments
Open

AWS Workload Identity Federation #1345

ntang86 opened this issue Jul 7, 2023 · 2 comments
Assignees
@BigTailWolf @lsirac

Comments

@ntang86
Copy link

ntang86 commented Jul 7, 2023
edited

Hey, do you have some documentation on how to use this lib with AWS and Workload Identity Federation?

The code below is given me the following error

cred = aws.Credentials.from_file("./work-identify-pool.json")
request = google.auth.transport.requests.Request()
aws_cred = cred.refresh(request)

{
  "errorMessage": "('Unable to acquire impersonated credentials', '{\\n  \"error\": {\\n    \"code\": 400,\\n    \"message\": \"Request contains an invalid argument.\",\\n    \"status\": \"INVALID_ARGUMENT\"\\n  }\\n}\\n')",
  "errorType": "RefreshError",
  "requestId": "",
  "stackTrace": [
    "  File \"/var/lang/lib/python3.10/importlib/__init__.py\", line 126, in import_module\n    return _bootstrap._gcd_import(name[level:], package, level)\n",
    "  File \"<frozen importlib._bootstrap>\", line 1050, in _gcd_import\n",
    "  File \"<frozen importlib._bootstrap>\", line 1027, in _find_and_load\n",
    "  File \"<frozen importlib._bootstrap>\", line 1006, in _find_and_load_unlocked\n",
    "  File \"<frozen importlib._bootstrap>\", line 688, in _load_unlocked\n",
    "  File \"<frozen importlib._bootstrap_external>\", line 883, in exec_module\n",
    "  File \"<frozen importlib._bootstrap>\", line 241, in _call_with_frames_removed\n",
    "  File \"/var/task/main.py\", line 20, in <module>\n    aws_cred = cred.refresh(request)\n",
    "  File \"/var/task/google/auth/external_account.py\", line 360, in refresh\n    self._impersonated_credentials.refresh(request)\n",
    "  File \"/var/task/google/auth/impersonated_credentials.py\", line 247, in refresh\n    self._update_token(request)\n",
    "  File \"/var/task/google/auth/impersonated_credentials.py\", line 276, in _update_token\n    self.token, self.expiry = _make_iam_token_request(\n",
    "  File \"/var/task/google/auth/impersonated_credentials.py\", line 104, in _make_iam_token_request\n    raise exceptions.RefreshError(_REFRESH_ERROR, response_body)\n"
  ]
}
@lsirac
Copy link
Contributor

lsirac commented Jul 11, 2023

It's covered in the user guide here. Are you using EC2? What you've provided is not enough for us to help. If you provide more info (e.g. the config you're using, the request that was made), @BigTailWolf can help out.

@ntang86
Copy link
Author

ntang86 commented Jul 12, 2023

Hi, for some context, I'm using Lambda to send request to CloudRun instance. So I can't use the client libraries.

Not sure how "attribute mapping and condition" works in my case, what's the different elements we have to set up on AWS? I'm a bit confused, I had some trouble to follow the guide "Authenticate a workload using the REST API".
It would be great to have a working example on how to setup REST request from lambda.

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BigTailWolf BigTailWolf

@lsirac lsirac

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@BigTailWolf @lsirac @ntang86