Workload Federation not working when `gcloud` is not available, 'subject_token_field_name must be set' error

[bravous]

When using workload federation it seems that the artifact wagon implementation is not able to use the credential config.

For instance when I do the following in a bitbucket pipeline (gcloud is not available) it fails:

# Use Service Account Federation
echo $BITBUCKET_STEP_OIDC_TOKEN > /tmp/oidc-token.txt
export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/credential-config.json
mvn clean package

I get the following error: _When specifying a JSON credential type, the subject_token_fieldname must be set.

Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Could not transfer artifact XYZ
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact XYZ
Caused by: java.lang.IllegalArgumentException: When specifying a JSON credential type, the subject_token_field_name must be set.
    at com.google.auth.oauth2.IdentityPoolCredentials$IdentityPoolCredentialSource.<init> (IdentityPoolCredentials.java:144)
    at com.google.auth.oauth2.ExternalAccountCredentials.fromJson (ExternalAccountCredentials.java:320)
    at com.google.auth.oauth2.GoogleCredentials.fromStream (GoogleCredentials.java:174)
    at com.google.auth.oauth2.DefaultCredentialsProvider.getDefaultCredentialsUnsynchronized (DefaultCredentialsProvider.java:159)
    at com.google.auth.oauth2.DefaultCredentialsProvider.getDefaultCredentials (DefaultCredentialsProvider.java:126)
    at com.google.auth.oauth2.GoogleCredentials.getApplicationDefault (GoogleCredentials.java:124)
    at com.google.auth.oauth2.GoogleCredentials.getApplicationDefault (GoogleCredentials.java:96)
    at com.google.cloud.artifactregistry.auth.DefaultCredentialProvider.makeGoogleCredentials (DefaultCredentialProvider.java:75)
    at com.google.cloud.artifactregistry.auth.DefaultCredentialProvider.getCredential (DefaultCredentialProvider.java:53)
    at com.google.cloud.artifactregistry.wagon.ArtifactRegistryWagon.openConnectionInternal (ArtifactRegistryWagon.java:78)
    at org.apache.maven.wagon.AbstractWagon.openConnection (AbstractWagon.java:139)

However when if install the gcloud command line, everything works fine. I would expect that maven should be able to work without the gcloud command line tool being available and by itself.

# Download the Google Cloud SDK
curl -o /tmp/google-cloud-sdk.tar.gz https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-408.0.1-linux-x86_64.tar.gz
tar -xvf /tmp/google-cloud-sdk.tar.gz -C /tmp/
/tmp/google-cloud-sdk/install.sh -q
source /tmp/google-cloud-sdk/path.bash.inc

# Use Service Account Federation
echo $BITBUCKET_STEP_OIDC_TOKEN > /tmp/oidc-token.txt
gcloud auth login --cred-file=credential-config.json
mvn clean package

[yolocs]

Here is a similar use case:

We use https://github.com/google-github-actions/auth specifically with Workload Identity Federation in GitHub workflow to push/pull Maven packages. The action will generate a credential file and set GOOGLE_APPLICATION_CREDENTIALS. But the Maven wagon doesn't recognize the credential.

Sample error:

[INFO] ArtifactRegistry Maven Wagon: Retrieving credentials...
[INFO] Trying Application Default Credentials...
[INFO] Failed to retrieve Application Default Credentials: Error reading credential file from environment variable GOOGLE_APPLICATION_CREDENTIALS, value '/home/runner/work/lumberjack/lumberjack/gha-creds-9431c[36](https://github.com/abcxyz/lumberjack/actions/runs/3441184277/jobs/5740460984#step:5:37)ab7cdf0f2.json': Error reading credentials from stream, 'type' value 'external_account' not recognized. Expecting 'authorized_user' or 'service_account'.

[jlubawy]

We ran into the same issue. It appears the original issue regarding "subject_token_field_name must be set" was fixed by this: https://github.com/googleapis/google-auth-library-java/issues/815

So updating to latest version of the dependency google-auth-library-oauth2-http should fix the issue in this project.