thejosephstevens
commented
1 month ago I'm going to look into taking this on. I had assumed that the GCP provider operated on the standard GCP auth resolution, but as it works here you have to either pass a secret into the upstream resource (e.g. OCIRepository), or you have to be running in GCP and using a metadata endpoint for auth. I run in all 3 clouds, and wanted to distribute all artifacts from a centralized place in GCP, and I was really trying to avoid shipping service account json creds around everywhere. I don't want to use node-level permissions because that requires allowing a pod to access node permissions, which we lock down by default, and we use a custom CNI in GKE which doesn't play well with the GKE Metadata Server daemon, so that's also not an option.
GCP supports authenticating from different trusted identities. One possible authentication story is a user wants to auth from AWS against a GCloud Container Registry. Currently the auth code only supports querying the internal metadata url via the const GCP_TOKEN_URL.
References: https://cloud.google.com/iam/docs/configuring-workload-identity-federation https://cloud.google.com/iam/docs/using-workload-identity-federation#aws_3