From 94e1935f06be6d9c4cc9397cdbbd78dff4f30187 Mon Sep 17 00:00:00 2001
From: Robert Clark <rbclarkdev@gmail.com>
Date: Fri, 28 Oct 2022 17:13:19 -0400
Subject: [PATCH] chore: Ensure the subject token type matches AWS before
 building AwsCredentials

---
 lib/googleauth/external_account.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/googleauth/external_account.rb b/lib/googleauth/external_account.rb
index 45f72d0c..c82b51ad 100644
--- a/lib/googleauth/external_account.rb
+++ b/lib/googleauth/external_account.rb
@@ -23,6 +23,10 @@ module Auth
     # Authenticates requests using External Account credentials, such
     # as those provided by the AWS provider.
     class ExternalAccountCredentials
+      # The subject token type used for AWS external_account credentials.
+      AWS_SUBJECT_TOKEN_TYPE = "urn:ietf:params:aws:token-type:aws4_request".freeze
+      AWS_SUBJECT_TOKEN_INVALID = "aws is the only currently supported external account type".freeze
+
       attr_reader :project_id
       attr_reader :quota_project_id
 
@@ -36,6 +40,7 @@ def self.make_creds options = {}
         raise "a json file is required for external account credentials" unless json_key_io
         user_creds = read_json_key json_key_io
 
+        raise AWS_SUBJECT_TOKEN_INVALID unless user_creds["subject_token_type"] == AWS_SUBJECT_TOKEN_TYPE
         Google::Auth::ExternalAccount::AwsCredentials.new(
           audience: user_creds["audience"],
           scope: scope,