Connect to IAP protected endpoint with Workload Identity Federation

[michajas]

Hi! I'm trying to create setup where I can run my code that will impersonate SA based on Workload Identity Federation and then call IAP protected endpoint (running on Cloud Run). I've managed to do such setup with Python library but I'm unable to do it in nodejs.

I've tried to combine samples regarding WIF and IAP but without any luck.

When running const client = await auth.getIdTokenClient(targetAudience); I'm getting error: Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to a service account credentials JSON file. My GOOGLE_APPLICATION_CREDENTIALS var is pointing to valid external_account credentials file.

Could you please point me to right solution?

[sofisl]

Hi @michajas, we haven't yet supported this feature unfortunately. We are discussing the FR as it's been requested in a few other issues on this repo. We'll update once we have an answer!

[aryzle]

hey @sofisl @danielbankhead I'm also stuck on this, any word on this FR? or is there a way to workaround this? I'm trying to run automated tests in a GH action using playwright by hitting an app that's behind IAP. Works locally with my own credentials

[dwiq-jskander]

In the same situation here. Github Actions + Workload Identity Federation. We're able to impersonate the Github Actions SA locally and auth to IAP without issue. The issue appears to be isolated to WIF and not just impersonation of a SA.