Add support for Workload Identity Federation

[jawnsy]

Summary

Add support for the external_account service account type, which is used in Workload Identity Federation.

Background

When running in GitHib Actions, we can use Workload Identity Federation to exchange our GitHub Actions identity token for a corresponding Google Cloud Service Account credential. The credential looks like this:

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/PROJECT_ID/locations/global/workloadIdentityPools/POOL_NAME/providers/PROVIDER_NAME",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service-account-name@project-name.iam.gserviceaccount.com:generateAccessToken",
  "credential_source": {
    "url": "https://pipelines.actions.githubusercontent.com/REDACTED_ID/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/REDACTED_UUID/jobs/REDACTED_UUID/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2FPROJECT_ID%2Flocations%2Fglobal%2FworkloadIdentityPools%2FPOOL_ID%2Fproviders%2FPROVIDER_ID",
    "headers": {
      "Authorization": "Bearer BIG_JWT_TOKEN"
    },
    "format": {
      "type": "json",
      "subject_token_field_name": "value"
    }
  }

Google describes this as "pluggable credentials" and this requires support in your software package.

Google supports six types for file-based credentials:

# Valid types accepted for file-based credentials.
_AUTHORIZED_USER_TYPE = "authorized_user"
_SERVICE_ACCOUNT_TYPE = "service_account"
_EXTERNAL_ACCOUNT_TYPE = "external_account"
_EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE = "external_account_authorized_user"
_IMPERSONATED_SERVICE_ACCOUNT_TYPE = "impersonated_service_account"
_GDCH_SERVICE_ACCOUNT_TYPE = "gdch_service_account"

However, this library only supports three of these:

gcloud-aio/auth/gcloud/aio/auth/token.py

Lines 59 to 62 in 597ca5b

	class Type(enum.Enum):
	AUTHORIZED_USER = 'authorized_user'
	GCE_METADATA = 'gce_metadata'
	SERVICE_ACCOUNT = 'service_account'

Minimum reproduction example

When running in GitHub Actions using a service account obtained through Workload Identity Federation, running the following script:

from gcloud.aio.bigquery import Dataset

dataset = Dataset()

will yield the following error:

ValueError: 'external_account' is not a valid Type

Possible workaround

It may be possible to use Google's library to obtain and token and then instead pass it to gcloud-aio.

See also

• Support for Impersonated Credentials #421

[marechaln]

Hi, i get the same problem with external_account credentials files from WIF while using gcloud.aio.storage ... this ends in gcloud.aio.auth :

lib/python3.11/site-packages/gcloud/aio/auth/token.py", line 162, in __init__ self.token_type = Type(self.service_data['type']) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/enum.py", line 712, in __call__ return cls.__new__(cls, value) ^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/enum.py", line 1135, in __new__ raise ve_exc ValueError: 'external_account' is not a valid Type

This is blocking for all my projects since WIF is the only accepted auth strategy in my job context

BRs,

[TheKevJames]

Hey folks! As of today, we now support 4/6 types... unfortunately, still not this one in particular. We'd be happy to accept a PR which adds support, but until then we do not currently have the internal capacity to build this.

I do believe one of our vendors is planning on switching over to making WIF mandatory, which would certainly put this on our internal roadmap, but for now please consider this ticket to be "in search of a contributor".