swheaton
commented
3 months ago Lgtm; what cred types did you test with
Closed brimoor closed 3 months ago
swheaton
commented
3 months ago Lgtm; what cred types did you test with
ehofesmann
commented
3 months ago Lgtm; what cred types did you test with
This PR worked for service account creds. I still haven't figured out a way to generate WIF external credentials
brimoor
commented
3 months ago I confirmed that both of these work:
import eta.core.serial as etas
import google.auth as ga
# Service account
credentials_path = "/path/to/gcp-service-account.json"
credentials, _ = ga.load_credentials_from_file(credentials_path)
# External account
credentials_path = "/tmp/gcp-credentials.json"
d = {
"type": "external_account",
"audience": "//iam.googleapis.com/projects/${OpenShift_GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${OpenShift_WORKLOAD_IDENTITY_POOL}/providers/${OpenShift_WORKLOAD_IDENTITY_POOL}",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/var/run/secrets/openshift/serviceaccount/token",
"format": {
"type": "text"
}
},
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GCP_SA}@${GCP_PROJECT_ID}.iam.gserviceaccount.com:generateAccessToken"
}
etas.write_json(d, credentials_path)
credentials, _ = ga.load_credentials_from_file(credentials_path)
Use
google.auth.load_credentials_from_file()to load GCP credentials.Previously we only supported service accounts, now we support all things that Google supports: