search

abdolence / sbt-gcs-resolver

SBT plugin for Google Cloud Storage (GCS) and Google Artifact Registry with Coursier support
Apache License 2.0
28 stars 7 forks source link

feat: allow authentication via access token #39

Closed faresismail96 closed 1 year ago

faresismail96 commented 1 year ago

Allows to authenticate via access token instead of a key file or default application credentials. This is very useful and secure if teams are setting up CIs with workload identity federation.

abdolence commented 1 year ago

Hey, thanks for the PR. I'll review it soon, but before we move to the details, I wanted to say I'm already using Workload Identity Federation even without this PR (https://cloud.google.com/iam/docs/workload-identity-federation) on GitHub actions, etc. It feels like you're doing some kind of manual work here.

This is my example for GitHub:

      - name: Authenticate Google Cloud
        id: auth
        uses: google-github-actions/auth@v1
        with:
          workload_identity_provider: 'projects/${{ env.GCP_PROJECT_ID }}/locations/global/workloadIdentityPools/${{ env.GCP_IDENTITY_POOL }}/providers/${{ env.GCP_IDENTITY_POOL_PROVIDER }}'
          service_account: '${{ env.GCP_SA_NAME }}@${{ env.GCP_PROJECT }}.iam.gserviceaccount.com'
          access_token_lifetime: '240s'

This setup is kind of common for 'keyless' integration nowadays. Did you consider it?

faresismail96 commented 1 year ago

Hey, thanks for the PR. I'll review it soon, but before we move to the details, I wanted to say I'm already using Workload Identity Federation even without this PR (https://cloud.google.com/iam/docs/workload-identity-federation) on GitHub actions, etc. It feels like you're doing some kind of manual work here.

This is my example for GitHub:

      - name: Authenticate Google Cloud
        id: auth
        uses: google-github-actions/auth@v1
        with:
          workload_identity_provider: 'projects/${{ env.GCP_PROJECT_ID }}/locations/global/workloadIdentityPools/${{ env.GCP_IDENTITY_POOL }}/providers/${{ env.GCP_IDENTITY_POOL_PROVIDER }}'
          service_account: '${{ env.GCP_SA_NAME }}@${{ env.GCP_PROJECT }}.iam.gserviceaccount.com'
          access_token_lifetime: '240s'

This setup is kind of common for 'keyless' integration nowadays. Did you consider it?

Hello,

Thanks for getting back to me this quickly. Unfortunately our setup only allows us to authenticate via access token. This fixed it for us and I thought other people could benefit from it.

abdolence commented 1 year ago

Released in https://github.com/abdolence/sbt-gcs-resolver/releases/tag/v1.8.0