Closed yoshidan closed 1 year ago
Specify external-account feature
external-account
google-cloud-pubsub = { version="0.18.0", default-features=false, features=["trace", "auth", "external-account", "rustls-tls"]}
Set external account json file path as environment variable GOOGLE_APPLICATION_CREDENTIALS in AWS(ex EC2).
GOOGLE_APPLICATION_CREDENTIALS
# download from GCP workload identity provider 'CONNECTED SERVICE ACCOUNTS' export GOOGLE_APPLICATION_CREDENTIALS=./clientLibraryConfig-xxxx.json cat $GOOGLE_APPLICATION_CREDENTIALS { "type": "external_account", "audience": "//iam.googleapis.com/projects/myprojectnumber/locations/global/workloadIdentityPools/xxx/providers/xxx", "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request", "service_account_impersonation_url": "https://iamcredentials.googleapis.com/test", "token_url": "https://sts.googleapis.com/v1/token", "credential_source": { "environment_id": "aws1", "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone", "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials", "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } }
How to use
Specify
external-account
featureSet external account json file path as environment variable
GOOGLE_APPLICATION_CREDENTIALS
in AWS(ex EC2).