Workload Identity Federation from AWS support

[abdolence]

AWS needs a specialised implementation for Workload Identity Federation authentication.

Described here:
https://google.aip.dev/auth/4117

[Wykiki]

Hello,

Sorry for bumping an old issue, but I wonder if my use-case would be similar, I need to auth with WIP, but on any kind of Kubernetes cluster. In the end, I need to auth with this equivalent gcloud command, without using Service Account impersonation (source) :

gcloud iam workload-identity-pools create-cred-config \
    projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \
    --credential-source-file=/var/run/service-account/token \
    --credential-source-type=text \
    --output-file=credential-configuration.json

If I'm not mistaken, the produced JSON file may be used as a TokenSourceType::Json, but I would be lacking the refresh automation, as the command given above should be ran again before token expiration.

I planned on writing a custom Source for this use-case, but that would probably benefit the project.

Do you have ideas about how things should be implemented ? Like, creating a new variant of TokenSourceType ?

Should I create another issue ?

Thanks for reading !

[abdolence]

Hi,

Your use case seems already covered in my implementation:

gcloud-sdk-rs/gcloud-sdk/src/token_source/ext_creds_source/mod.rs

Line 11 in 5b8ef6a

FileBased(ExternalCredentialFile),

AWS is a special one since it requires to implement complex interaction with AWS. Yours looks like just a file and it should work. GitHub has similar integration and it works even in this repo.

[abdolence]

In theory you shouldn't write anything and can use the crate out of box. It should handle workload identity in kubernetes automatically (just make sure it is enabled in GKE).

[Wykiki]

Thanks for quick reply !

Indeed, looks like it is already covered, but in the above gcloud command example, I'm using the Kubernetes ServiceAccount token file, that just contains a JWT. So I'm guessing I should provide another file that contains all the other parameters, but what is its format ? Or maybe export some env var that will hint the crate about what to use ?

If I'm not mistaken, with what's done in the crate, I should just have to provide it :

• SA token file path
• WorkloadIdentityPoolProviderId

I probably have missed something, sorry for asking

[abdolence]

Oh, right, you don't have metadata server and stuff available I guess? Is it some kind of self hosted Kubernetes? Let me investigate available options and come back to you.

[Wykiki]

I think I found something : https://cloud.google.com/iam/docs/workload-download-cred-and-grant-access

What it produces :

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<WIP_ID>/providers/<WIPP_ID>",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "file": "/run/secrets/kubernetes.io/serviceaccount/token",
    "format": {
      "type": "text"
    }
  }
}

I guess I just have to format the file for my need and reference it with FileBased using JSON format.

I'll try that and let you know.

EDIT : And I think I can even use the GOOGLE_APPLICATION_CREDENTIALS default variable pointing to that file, to let the crate auto-discover the method,

EDIT 2 : I confirm it works with GOOGLE_APPLICATION_CREDENTIALS pointing to the above file. Thanks !

[abdolence]

Yeah, this should work. I was trying to find a similar example, glad you have already found it.

[abdolence]

One thing worth to mention about that file, please consider it also as a sensitive file so nobody can modify it.
It doesn't have token, but it has sensitive settings, so if a malicious actor can modify it, it can extract token values to specified location (for example, to some unexpected HTTP URL).