Open abdolence opened 1 year ago
Hello,
Sorry for bumping an old issue, but I wonder if my use-case would be similar, I need to auth with WIP, but on any kind of Kubernetes cluster. In the end, I need to auth with this equivalent gcloud
command, without using Service Account impersonation (source) :
gcloud iam workload-identity-pools create-cred-config \
projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \
--credential-source-file=/var/run/service-account/token \
--credential-source-type=text \
--output-file=credential-configuration.json
If I'm not mistaken, the produced JSON file may be used as a TokenSourceType::Json
, but I would be lacking the refresh automation, as the command given above should be ran again before token expiration.
I planned on writing a custom Source
for this use-case, but that would probably benefit the project.
Do you have ideas about how things should be implemented ? Like, creating a new variant of TokenSourceType
?
Should I create another issue ?
Thanks for reading !
Hi,
Your use case seems already covered in my implementation: https://github.com/abdolence/gcloud-sdk-rs/blob/5b8ef6a2b07f8792de1faf7c2fb62154ee12c391/gcloud-sdk/src/token_source/ext_creds_source/mod.rs#L11
AWS is a special one since it requires to implement complex interaction with AWS. Yours looks like just a file and it should work. GitHub has similar integration and it works even in this repo.
In theory you shouldn't write anything and can use the crate out of box. It should handle workload identity in kubernetes automatically (just make sure it is enabled in GKE).
Thanks for quick reply !
Indeed, looks like it is already covered, but in the above gcloud
command example, I'm using the Kubernetes ServiceAccount token file, that just contains a JWT. So I'm guessing I should provide another file that contains all the other parameters, but what is its format ? Or maybe export some env var that will hint the crate about what to use ?
If I'm not mistaken, with what's done in the crate, I should just have to provide it :
I probably have missed something, sorry for asking
Oh, right, you don't have metadata server and stuff available I guess? Is it some kind of self hosted Kubernetes? Let me investigate available options and come back to you.
I think I found something : https://cloud.google.com/iam/docs/workload-download-cred-and-grant-access
What it produces :
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<WIP_ID>/providers/<WIPP_ID>",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/run/secrets/kubernetes.io/serviceaccount/token",
"format": {
"type": "text"
}
}
}
I guess I just have to format the file for my need and reference it with FileBased
using JSON
format.
I'll try that and let you know.
EDIT : And I think I can even use the GOOGLE_APPLICATION_CREDENTIALS
default variable pointing to that file, to let the crate auto-discover the method,
EDIT 2 : I confirm it works with GOOGLE_APPLICATION_CREDENTIALS
pointing to the above file. Thanks !
Yeah, this should work. I was trying to find a similar example, glad you have already found it.
One thing worth to mention about that file, please consider it also as a sensitive file so nobody can modify it. It doesn't have token, but it has sensitive settings, so if a malicious actor can modify it, it can extract token values to specified location (for example, to some unexpected HTTP URL).
AWS needs a specialised implementation for Workload Identity Federation authentication.
Described here: https://google.aip.dev/auth/4117