search

ScaleSec / gcp-workload-identity-federation

Pypi module to enable workload identity federation from AWS to GCP without the need for static credentials.
26 stars 7 forks source link

Enable using a different set of scopes for the generated token #23

Closed gmercadal closed 3 years ago

gmercadal commented 3 years ago

The current library implementation does hardcode the scopes for a given service account to https://www.googleapis.com/auth/cloud-platform. This is not going to allow using that token for actions that require additional scopes such as creating an external table in BigQuery that uses a drive document.

See for example how scopes are provided when using oauth for the same use case, https://docs.getdbt.com/reference/warehouse-profiles/bigquery-profile#local-oauth-gcloud-setup

This change does set up an additional parameter to the TokenService that maintains the default value and does allow users to set their own list of scopes (a comma-separated string of GCP scopes).

jdyke commented 3 years ago

@gmercadal 1.0.7 is ready to go!

https://pypi.org/project/scalesec-gcp-workload-identity/

gmercadal commented 3 years ago

Thank you!