Add workload identity federation support

[lanzelotik]

Add workload identity federation support https://cloud.google.com/iam/docs/using-workload-identity-federation

[judge2020]

Is this planned? Workload identity federation for accessing GCP services on eg. AWS is a much more secure method than keeping credentials on a machine, and I'd love to use it for my PHP projects.

[dylanenabled]

Specifically, this library should add support for the "external_account" google application credentials "type" as defined in https://google.aip.dev/auth/4117

This is the format that is generated with the gcloud iam workload-identity-pools create-cred-config command and allows using aws, jwt or saml credentials files to impersonate a serviceaccount.

For example (from CircleCI ), pointing the GOOGLE_APPLICATION_CREDENTIALS environment variable to a file that looks like this should load the credentials source to get the token, then use it to impersonate the service account.

 {
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
  "credential_source": {
    "file": "CIRCLE_OIDC_TOKEN_FILE",
    "format": {
      "type": "text"
    }
  }
}

[ghost]

Any updates on this?

[bshaffer]

@arnaubuch this is being worked on now and we will be delivering this auth feature soon

[JurgenLangbroek]

How is it going with this feature?

[bshaffer]

This is being worked on in #462!

[SpencerMalone]

Don't forget OIDC / JWT tokens pls!

[bshaffer]

For everyone following this thread, we have a PR for supporting AWS that should be merged soon. It would be great to have your help testing it out and reviewing it!
Here is the pull request: #474

To test it out, it's simple
DO NOT PERFORM THESE STEPS IN A PRODUCTION ENVIRONMENT

1. install the dev version of the auth library in your application running on AWS with the following command:
   composer require google/auth:dev-aws-for-sts as 1.31.0
   note: this installs a development branch of the auth library, and so is not meant for production use
2. Follow the instructions in https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds to enable Workload Identity Federation
3. Download the credentials on your AWS instance and set GOOGLE_APPLICATION_CREDENTIALS to that file
4. Verify the authentication works as expected.

We expect to have this feature merged and released shortly! If you are willing to test it out beforehand and provide feedback, that would be greatly appreciated. Thank you!

[bshaffer]

Workload Identity Federation support has been added! Please update your google/auth dependency to the latest version (v1.31.0)

This should work out of the box when you set the path to your Workload Identity Federation credentials to the GOOGLE_APPLICATION_CREDENTIALS environment variable, after following the setup instructions

Please open new issues if you encounter any problems or have any questions. Thank you!

Note: Workforce Credentials are still not supported, but support is coming soon (see #485)