Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support Workload Identity Federation #233

Open
danburkert opened this issue Feb 16, 2024 · 7 comments
Open

support Workload Identity Federation #233

danburkert opened this issue Feb 16, 2024 · 7 comments

Comments

@danburkert
Copy link
Contributor

Hi, I have GitHub Action CI workloads which authenticate to GCP using 'Workload Identity Federation through a Service Account' following the configuration in the linked google-authored action.

I have enabled the external-account feature in google-cloud-auth.

When using google-cloud-storage in this CI environment authentication fails with Error: external account error : Unsupported Subject Token Source.

I believe this is expected behavior based on a TODO in the codebase: https://github.com/yoshidan/google-cloud-rust/blob/main/foundation/auth/src/token_source/external_account_source/mod.rs#L107-L108, but I wanted to file an issue to track progress and see if there are any workarounds, particularly in a GitHub Actions environment.
@danburkert
Copy link
Contributor Author

This is possibly a dupe of #171, but I couldn't tell for sure.

@yoshidan
Copy link
Owner

Currently we only support AWS for workload identity federation.

I have not yet investigated the details of how to work with github actions, but referring to the Go source, the credential source should be either FILE, URL, or Executable in this case.

https://github.com/golang/oauth2/blob/ebe81ad83719fe3426335b22e40a1e3a76fa45c0/google/internal/externalaccount/basecredentials.go#L147

I will check what the credential source will actually be.

@moricho
Copy link
Contributor

moricho commented Mar 6, 2024
edited

I've run into the same issue and am currently investigating it.
Seems the credential source is URL type. Here's the credential I got on GitHub Actions (partially masked) 👇

{"type":"external_account","audience":"//iam.googleapis.com/***","subject_token_type":"urn:ietf:params:oauth:token-type:jwt","token_url":"https://sts.googleapis.com/v1/token","credential_source":{"url":"***","headers":{"Authorization":"***"},"format":{"type":"json","subject_token_field_name":"value"}},"service_account_impersonation_url":"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken"}

As far as I've investigated the URL type implementation in Go, it does not seem to be that complicated:
https://github.com/golang/oauth2/blob/ebe81ad83719fe3426335b22e40a1e3a76fa45c0/google/internal/externalaccount/urlcredsource.go

@moricho moricho mentioned this issue Mar 6, 2024
Merged
@theoribeiro
Copy link

I see this was merged a couple of weeks ago. Any chance you'll publish a new release with it soon?

@yoshidan
Copy link
Owner

@theoribeiro Now I published google-cloud-auth v0.13.2

@theoribeiro
Copy link

Unfortunately I'm still getting unsupported account external_account when using Workload Identity Federation on Github Actions. Any idea why?

@theoribeiro
Copy link

Ah, never mind! This is behind a feature gate that I didn't know. I added external-account and it's now solved and working in the CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@danburkert @yoshidan @moricho @theoribeiro