danburkert
commented
4 months ago This is possibly a dupe of #171, but I couldn't tell for sure.
Open danburkert opened 4 months ago
danburkert
commented
4 months ago This is possibly a dupe of #171, but I couldn't tell for sure.
yoshidan
commented
4 months ago Currently we only support AWS for workload identity federation.
I have not yet investigated the details of how to work with github actions, but referring to the Go source, the credential source should be either FILE, URL, or Executable in this case.
I will check what the credential source will actually be.
moricho
commented
4 months ago I've run into the same issue and am currently investigating it. Seems the credential source is URL type. Here's the credential I got on GitHub Actions (partially masked) 👇
{"type":"external_account","audience":"//iam.googleapis.com/***","subject_token_type":"urn:ietf:params:oauth:token-type:jwt","token_url":"https://sts.googleapis.com/v1/token","credential_source":{"url":"***","headers":{"Authorization":"***"},"format":{"type":"json","subject_token_field_name":"value"}},"service_account_impersonation_url":"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken"}As far as I've investigated the URL type implementation in Go, it does not seem to be that complicated: https://github.com/golang/oauth2/blob/ebe81ad83719fe3426335b22e40a1e3a76fa45c0/google/internal/externalaccount/urlcredsource.go
theoribeiro
commented
3 months ago I see this was merged a couple of weeks ago. Any chance you'll publish a new release with it soon?
yoshidan
commented
3 months ago @theoribeiro Now I published google-cloud-auth v0.13.2
theoribeiro
commented
3 months ago Unfortunately I'm still getting unsupported account external_account when using Workload Identity Federation on Github Actions. Any idea why?
theoribeiro
commented
3 months ago Ah, never mind! This is behind a feature gate that I didn't know. I added external-account and it's now solved and working in the CI.
Hi, I have GitHub Action CI workloads which authenticate to GCP using 'Workload Identity Federation through a Service Account' following the configuration in the linked google-authored action.
I have enabled the
external-accountfeature ingoogle-cloud-auth.When using
google-cloud-storagein this CI environment authentication fails withError: external account error : Unsupported Subject Token Source.I believe this is expected behavior based on a TODO in the codebase: https://github.com/yoshidan/google-cloud-rust/blob/main/foundation/auth/src/token_source/external_account_source/mod.rs#L107-L108, but I wanted to file an issue to track progress and see if there are any workarounds, particularly in a GitHub Actions environment.