feat: workload identity federation support #698
Conversation
…#594) This defines internal utilities to handle: - OAuth client authentication - Standard OAuth error response parsing into OAuthError exception.
* refactor: split 'with_quota_project' into separate base class (#561) * feat: implements the OAuth token exchange spec based on rfc8693
…ss for external_account credentials (#603)
…ount.Credentials` (#605) If the `service_account_impersonation_url` is provided, an additional step to exchange the external account GCP access token for a service account impersonated token is performed. This is needed because many Google Cloud services do not yet support external account GCP access tokens. In order to support service account impersonations, we depend on `google.auth.impersonated_credentials.Credentials` which has been extended to accept an override of the IAM `GenerateAccessToken endpoint`. This is useful when supporting impersonation with regional endpoints.
Syncs the BYOID branch to master. No additional changes added.
…d Azure workloads (#617)
Implements the AWS signature version 4 for signing requests based on: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html It will be used to generate signed requests to AWS GetCallerIdentity API. https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html This API is used to securely return details about the IAM user or role whose credentials are used to call the operation. The majority of the test cases are using the AWS SDK test fixtures.
) This will subclass the abstract class `google.auth.external_account.Credentials` and will compute subject tokens as follows: - Retrieve AWS region from either `AWS_REGION` envvar or AWS metadata server `availability-zone`. - Check AWS credentials in environment variables: - `AWS_ACCESS_KEY_ID` - `AWS_SECRET_ACCESS_KEY` - `AWS_SESSION_TOKEN`. If not found, get from AWS metadata server `security-credentials` endpoint. - Get AWS credentials from AWS metadata server `security-credentials` endpoint. In order to retrieve this, the AWS role needs to be determined by calling `security-credentials` endpoint without any argument. Then the credentials can be retrieved via: `security-credentials/role_name` - Generate the signed request to AWS STS `GetCallerIdentity` action. - Inject `x-goog-cloud-target-resource` into reformatted header and serialize the signed request. This will be the subject-token to pass to GCP STS.
* refactor: split 'with_quota_project' into separate base class (#561) Co-authored-by: Tres Seaver <tseaver@palladion.com> * fix: dummy commit to trigger a auto release (#597) * chore: release 1.21.1 (#599) * chore: updated CHANGELOG.md [ci skip] * chore: updated setup.cfg [ci skip] * chore: updated setup.py Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: migrate signBlob to iamcredentials.googleapis.com (#600) Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com. This API is deprecated and will be shutdown in one year. This is used google.auth.iam.Signer. Added a system_test to sanity check the implementation. * chore: release 1.21.2 (#601) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: fix expiry for `to_json()` (#589) * This patch for </issues/501> includes the following fixes: - The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file. - For refresh needs, `expiry` also needs to be saved via `to_json()`. - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency. - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported. - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place. - Minor `scopes` updates - DUMP: Add property for `scopes` so `to_json()` can grab it - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported. * chore: add default CODEOWNERS (#609) * chore: release 1.21.3 (#607) * feat: add asyncio based auth flow (#612) * feat: asyncio http request logic and asynchronous credentials logic (#572) Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com> * chore: release 1.22.0 (#615) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: move aiohttp to extra as it is currently internal surface (#619) Fix #618. Removes aiohttp from required dependencies to lessen dependency tree for google-auth. This will need to be looked at again as more folks use aiohttp and once the surfaces goes to public visibility. * chore: release 1.22.1 (#620) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: remove checks for ancient versions of Cryptography (#596) Refs #595 (comment) I see no point in checking whether someone is running a version of https://github.com/pyca/cryptography/ from 2014 that doesn't even compile against modern versions of OpenSSL anymore. * chore: sync to master Syncs to master. Fixes broken unit tests in Python 3.6 and 3.7. Aligns test_identity_pool.py with test_aws.py. Co-authored-by: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> Co-authored-by: Tres Seaver <tseaver@palladion.com> Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com> Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: wesley chun <wescpy@gmail.com> Co-authored-by: Christopher Wilcox <crwilcox@google.com> Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com> Co-authored-by: Aarni Koskela <akx@iki.fi>
…redentials (#631) This is introduced to support the current pattern of using the Auth library: `credentials, project_id = google.auth.default()` This will be added to the project ID determination logic: https://github.com/googleapis/google-auth-library-python/blob/3b3172ef94c110c81a49bc160123e8ff55141e65/google/auth/_default.py#L338 This will first determine the project number from the STS audience: `//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...` It will then call cloud resource manager to determine the project information: https://cloudresourcemanager.googleapis.com/v1/projects/$PROJECT_NUMBER This may fail for the following reasons: - The resource may not have permission (resourcemanager.projects.get) to call this API - Required scopes may not be selected: https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes To reduce cost of this API, we will fail quickly and not retry and we will use scopes provided as is.
…auth.load_credentials_from_file()` (#635) - Adds implicit ADC support for external account credentials via `google.auth.default()`. - Adds explicit support for external account credentials via `google.auth.load_credentials_from_file()`. - Adds optional `google.auth.transport.Request` argument to `load_credentials_from_file` to facilitate retrieval of workload identity pool project ID if determinable. This follows a similar pattern set by `_get_gce_credentials` method. - Related comprehensive unit tests have been added to only the public methods (`default()` and `load_credentials_from_file()`). - Updated constructor invalid argument exceptions for `google.auth.identity_pool.Credentials` and `google.auth.aws.Credentials` to be `ValueError` instead of `exceptions.GoogleAuthError`. This aligns these credentials with service account credentials behavior.
…creds Reverted changes in `google.auth.default()` logic introduced in external account creds. `_get_explicit_environ_credentials` is called with no arguments as previously done. Instead after the credential is returned via `with_scopes_if_required()`, we try to get project ID if the credential has a `get_project_id` method and if the project ID is not yet been determined. This is a safer change while still keeping the logic to determine project ID for external credentials.
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
google-cla
bot
added
the
cla: no
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
busunkim96
removed
the
cla: no
busunkim96
added
the
cla: yes
|
CLAs were granted when commits were originally merged to |
Using workload identity federation, applications can access Google Cloud resources from Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload identity federation is recommended for non-Google Cloud environments as it avoids the need to download, manage and store service account private keys locally.
This includes a rollforward of the previous reverted PR and the fix to not pass scopes to user credentials from
google.auth.default().