Workload identity

[kmathew]

What is the correct way to setup client config to get it working with workload identity from GCP?

I am using a patched dependency with the main branch since crates are updated manually. Using default auth does not work like it does in local.

ClientConfig::default().with_auth().await.unwrap()

results in thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: HttpError(reqwest::Error { kind: Decode, source: Error("expected value", line: 1, column: 1) })', /root/project/src/router.rs:22:51

[kmathew]

I reverted patch to this rev: 5eb08b64c442a172a7745112bdec37d3b41fcdcd . It's working now. Something afterwards broke it.

[yoshidan]

Cloud you please tell me the following so I can investigate.

1. What credentials you are using? You may mask sensitive information with XXX or something similar. ("type": "external_account" is currently unsupported)

2. Does it work with 7e47243374bdae3bea736431345678e31ddebc4f?

[kmathew]

1. using workload identity with k8s SA with IAM permission type: service_account
2. 7e47243374bdae3bea736431345678e31ddebc4f is working

I'm using feature = storage

[yoshidan]

I have confirmed that it works with GKE using workload identity Autopilot. We have confirmed that it works with the latest version we published to crates.io yesterday.

We need more detailed information as there is no error here.

• Are you using GKE Standard instead of GKE Autopilot?
• How is the hyper logging around errors?
  • if you are using tracing etc, you can use the environment variable RUST_LOG to output the hyper trace log.

[kmathew]

I believe this was a mistake on my part. I was not using the correct revision for google_cloud_token. I'm using the newly published crates and can confirm that it's working.