Closed matt-hottinger closed 2 years ago
Hi @matt-hottinger, This is a great suggestion. If you currently deploy the Apigee Edge module on a GCP Compute instance VM it lets you use the default service account without having to enter a key in.
It would be good to add this feature to support Kubernetes pods with workload identity federation.
This should work for GKE. Since the code has been in place : https://github.com/apigee/apigee-client-php/blob/2.x/src/HttpClient/Plugin/Authentication/GceServiceAccount.php
https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#metadata_server
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is your feature request related to a problem? Please describe
It would be preferable to be able to use short-lived access tokens instead of long-lived service account keys when configuring the Apigee Dev Portal Kickstart for Apigee X. At the moment it appears the only option is to configure using a GCP service account key.
Describe the solution you'd like
Using a GCP service account key is great for getting started quickly, but I would also like the option to use Workload Identity Federation when configuring the Kickstart Portal for Apigee X.
Describe alternatives you've considered
We've considered using a GCP service account key, but there's no guarantee about where the key is stored and who has access. This creates a secrets management problem and becomes a security risk in the long-term.
Additional context
This is the screen where I'd like the option to ditch the keys and use Workload Identity Federation: