feat: workload identity federation support#686
Merged
busunkim96 merged 18 commits intogoogleapis:masterfrom Feb 9, 2021
bojeil-google:master
Merged
feat: workload identity federation support#686busunkim96 merged 18 commits intogoogleapis:masterfrom bojeil-google:master
busunkim96 merged 18 commits intogoogleapis:masterfrom
bojeil-google:master
Conversation
…#594) This defines internal utilities to handle: - OAuth client authentication - Standard OAuth error response parsing into OAuthError exception.
* refactor: split 'with_quota_project' into separate base class (#561) * feat: implements the OAuth token exchange spec based on rfc8693
…ss for external_account credentials (#603)
…ount.Credentials` (#605) If the `service_account_impersonation_url` is provided, an additional step to exchange the external account GCP access token for a service account impersonated token is performed. This is needed because many Google Cloud services do not yet support external account GCP access tokens. In order to support service account impersonations, we depend on `google.auth.impersonated_credentials.Credentials` which has been extended to accept an override of the IAM `GenerateAccessToken endpoint`. This is useful when supporting impersonation with regional endpoints.
Syncs the BYOID branch to master. No additional changes added.
…d Azure workloads (#617)
Implements the AWS signature version 4 for signing requests based on: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html It will be used to generate signed requests to AWS GetCallerIdentity API. https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html This API is used to securely return details about the IAM user or role whose credentials are used to call the operation. The majority of the test cases are using the AWS SDK test fixtures.
) This will subclass the abstract class `google.auth.external_account.Credentials` and will compute subject tokens as follows: - Retrieve AWS region from either `AWS_REGION` envvar or AWS metadata server `availability-zone`. - Check AWS credentials in environment variables: - `AWS_ACCESS_KEY_ID` - `AWS_SECRET_ACCESS_KEY` - `AWS_SESSION_TOKEN`. If not found, get from AWS metadata server `security-credentials` endpoint. - Get AWS credentials from AWS metadata server `security-credentials` endpoint. In order to retrieve this, the AWS role needs to be determined by calling `security-credentials` endpoint without any argument. Then the credentials can be retrieved via: `security-credentials/role_name` - Generate the signed request to AWS STS `GetCallerIdentity` action. - Inject `x-goog-cloud-target-resource` into reformatted header and serialize the signed request. This will be the subject-token to pass to GCP STS.
* refactor: split 'with_quota_project' into separate base class (#561) Co-authored-by: Tres Seaver <tseaver@palladion.com> * fix: dummy commit to trigger a auto release (#597) * chore: release 1.21.1 (#599) * chore: updated CHANGELOG.md [ci skip] * chore: updated setup.cfg [ci skip] * chore: updated setup.py Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: migrate signBlob to iamcredentials.googleapis.com (#600) Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com. This API is deprecated and will be shutdown in one year. This is used google.auth.iam.Signer. Added a system_test to sanity check the implementation. * chore: release 1.21.2 (#601) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: fix expiry for `to_json()` (#589) * This patch for </issues/501> includes the following fixes: - The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file. - For refresh needs, `expiry` also needs to be saved via `to_json()`. - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency. - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported. - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place. - Minor `scopes` updates - DUMP: Add property for `scopes` so `to_json()` can grab it - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported. * chore: add default CODEOWNERS (#609) * chore: release 1.21.3 (#607) * feat: add asyncio based auth flow (#612) * feat: asyncio http request logic and asynchronous credentials logic (#572) Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com> * chore: release 1.22.0 (#615) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: move aiohttp to extra as it is currently internal surface (#619) Fix #618. Removes aiohttp from required dependencies to lessen dependency tree for google-auth. This will need to be looked at again as more folks use aiohttp and once the surfaces goes to public visibility. * chore: release 1.22.1 (#620) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> * fix: remove checks for ancient versions of Cryptography (#596) Refs #595 (comment) I see no point in checking whether someone is running a version of https://github.com/pyca/cryptography/ from 2014 that doesn't even compile against modern versions of OpenSSL anymore. * chore: sync to master Syncs to master. Fixes broken unit tests in Python 3.6 and 3.7. Aligns test_identity_pool.py with test_aws.py. Co-authored-by: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> Co-authored-by: Tres Seaver <tseaver@palladion.com> Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com> Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: wesley chun <wescpy@gmail.com> Co-authored-by: Christopher Wilcox <crwilcox@google.com> Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com> Co-authored-by: Aarni Koskela <akx@iki.fi>
…redentials (#631) This is introduced to support the current pattern of using the Auth library: `credentials, project_id = google.auth.default()` This will be added to the project ID determination logic: https://github.com/googleapis/google-auth-library-python/blob/3b3172ef94c110c81a49bc160123e8ff55141e65/google/auth/_default.py#L338 This will first determine the project number from the STS audience: `//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/...` It will then call cloud resource manager to determine the project information: https://cloudresourcemanager.googleapis.com/v1/projects/$PROJECT_NUMBER This may fail for the following reasons: - The resource may not have permission (resourcemanager.projects.get) to call this API - Required scopes may not be selected: https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes To reduce cost of this API, we will fail quickly and not retry and we will use scopes provided as is.
…auth.load_credentials_from_file()` (#635) - Adds implicit ADC support for external account credentials via `google.auth.default()`. - Adds explicit support for external account credentials via `google.auth.load_credentials_from_file()`. - Adds optional `google.auth.transport.Request` argument to `load_credentials_from_file` to facilitate retrieval of workload identity pool project ID if determinable. This follows a similar pattern set by `_get_gce_credentials` method. - Related comprehensive unit tests have been added to only the public methods (`default()` and `load_credentials_from_file()`). - Updated constructor invalid argument exceptions for `google.auth.identity_pool.Credentials` and `google.auth.aws.Credentials` to be `ValueError` instead of `exceptions.GoogleAuthError`. This aligns these credentials with service account credentials behavior.
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
busunkim96
approved these changes
Feb 9, 2021
Contributor
|
CLAs were granted when the commits were merged to the master branch. |
busunkim96
added a commit
that referenced
this pull request
Feb 11, 2021
This reverts commit 5dcd2b1.
arithmetic1728
pushed a commit
that referenced
this pull request
Feb 11, 2021
busunkim96
pushed a commit
that referenced
this pull request
Feb 16, 2021
Using workload identity federation, applications can access Google Cloud resources from Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload identity federation is recommended for non-Google Cloud environments as it avoids the need to download, manage and store service account private keys locally. This includes a rollforward of the [previous reverted PR](#686) and the [fix](#686) to not pass scopes to user credentials from `google.auth.default()`.
parthea
pushed a commit
to googleapis/google-cloud-python
that referenced
this pull request
Nov 26, 2025
Using workload identity federation, applications can access Google Cloud resources from Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload identity federation is recommended for non-Google Cloud environments as it avoids the need to download, manage and store service account private keys locally. This includes a rollforward of the [previous reverted PR](googleapis/google-auth-library-python#686) and the [fix](googleapis/google-auth-library-python#686) to not pass scopes to user credentials from `google.auth.default()`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Using workload identity federation, applications can access Google Cloud resources from Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload identity federation is recommended for non-Google Cloud environments as it avoids the need to download, manage and store service account private keys locally.