bshaffer
commented
11 months ago Hello @jaimemasson! We already have support for Workload Identity Federation! Check out the README here and let us know if you run into any problems:
Open jaimemasson opened 11 months ago
bshaffer
commented
11 months ago Hello @jaimemasson! We already have support for Workload Identity Federation! Check out the README here and let us know if you run into any problems:
jaimemasson
commented
10 months ago @bshaffer this seems to only work for aws on ec2 instances but as far as i can tell ecs services(tasks) use different endpoints to assume a role and therefore this method as mentioned doesn't work. From what i can tell this should probably be handled with an update both on the downloaded credentials side and the library side but potentially handled just on the library side with some documentation. If i am mistaken and this works with ecs containers any guidance would be welcome.
bshaffer
commented
10 months ago I only tested on EC2 instances.
@aeitzman do you know if WIF is supported for ECS Tasks?
jaimemasson
commented
10 months ago @bshaffer i'm pretty sure it doesn't support ecs as ec2 uses a static endpoint to retrieve cred metadata, whereas ecs tasks have a variable cred metadata endpoint set in an ENV variable
bshaffer
commented
4 months ago @jaimemasson I'll get in touch with our team and see what we can do. I am also open to merging a PR if you feel like submitting support for this feature!
bshaffer
commented
4 months ago @jaimemasson So the response here is that we don't currently support WIF for ECS Tasks natively in any of the googlea auth libraries. We did add support recently in some of the libraries for users to inject their own logic to retrieve AWS security credentials, but there's no native support in the "external account credentials file" as of yet. Its in the backlog to add eventually, but no timeline right now.
would like to be able to use workload identity federation on ecs tasks like ec2 instances.