feat: Add support for Workforce Identity Pools external credentials. #2200
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
My understanding is that Workforce Identity Federation shouldn't allow automatic service account impersonation. I haven't seen anything in the code to check for that. But it's also possible that my understanding is wrong as the spec is pretty vague. |
Contributor
Author
There's no check for that. I also had that question and also couldn't find anything about it. If my understanding of Java's implementation is right, they are not checking either. So, the implementation for Workforce is the same as for Workload in that respect:
|
jskeet
reviewed
Sep 1, 2022
| /// </summary> | ||
| /// <remarks> | ||
| /// If this external account credential represents a Workforce Pool | ||
| /// enabled identity and this values is not specified, then an API key needs to be |
Collaborator
There was a problem hiding this comment.
values => value here and below
jskeet
approved these changes
Sep 1, 2022
Collaborator
jskeet
left a comment
jskeet
left a comment
There was a problem hiding this comment.
Looks fine so far - one more question I'll follow up on by email.
| GoogleOptions = googleOptions; | ||
| AuthenticationHeader = authenticationHeader; | ||
| } | ||
|
|
Collaborator
There was a problem hiding this comment.
Nit: remove one of these blank lines?
| /// Storage from a web application without a user's involvement. | ||
| /// <para> | ||
| /// <code>ServiceAccountCredential</code> inherits from this class in order to support Service Account. More | ||
| /// <see cref="ServiceAccountCredential"/> inherits from this class in order to support Service Account. More |
Collaborator
There was a problem hiding this comment.
Nit: "in order to support Service Account" => "in order to support Service Accounts"? (While we're changing the comment anyway...)
| /// https://cloud.google.com/compute/docs/authentication. | ||
| /// </para> | ||
| /// <para> | ||
| /// <see cref="ExternalAccountCredential"/> inherits from this class to support both Workload Indentity Federation |
| /// and Workforce Identity Federation. You can read more about these topics in | ||
| /// https://cloud.google.com/iam/docs/workload-identity-federation and | ||
| /// https://cloud.google.com/iam/docs/workforce-identity-federation respectively. | ||
| /// Note that in the case of Workforce Identity Federation, the external account does not represent a service acount |
| /// https://cloud.google.com/iam/docs/workforce-identity-federation respectively. | ||
| /// Note that in the case of Workforce Identity Federation, the external account does not represent a service acount | ||
| /// but a user account, so, the fact that <see cref="ExternalAccountCredential"/> inherits from <see cref="ServiceCredential"/> | ||
| /// might be construed as missleading. In reality <see cref="ServiceCredential"/> it's not tied to a service account |
| /// Note that in the case of Workforce Identity Federation, the external account does not represent a service acount | ||
| /// but a user account, so, the fact that <see cref="ExternalAccountCredential"/> inherits from <see cref="ServiceCredential"/> | ||
| /// might be construed as missleading. In reality <see cref="ServiceCredential"/> it's not tied to a service account | ||
| /// implementation wise, only name wise, for instance, a better name for this class might have been NoUserFlowCredential, and |
Collaborator
There was a problem hiding this comment.
"implementation wise, only name wise" => "in terms of implementation; only in terms of name". (And then a new sentence.)
|
We support Workforce Identity Federation + service account impersonation in the other auth libraries, we just don't document it / tell people to use it |
Contributor
Author
Thanks Leo, then this implementation is correct! |
amanda-tarafa
force-pushed
the
workforce-pools
branch
from
b47669b to
522effd
Compare
amanda-tarafa
commented
Sep 1, 2022
Contributor
Author
amanda-tarafa
left a comment
amanda-tarafa
left a comment
There was a problem hiding this comment.
@jskeet I've addressed all your comments, and also replied internally.
Second commit contains review changes. Thanks.
| GoogleOptions = googleOptions; | ||
| AuthenticationHeader = authenticationHeader; | ||
| } | ||
|
|
| /// Storage from a web application without a user's involvement. | ||
| /// <para> | ||
| /// <code>ServiceAccountCredential</code> inherits from this class in order to support Service Account. More | ||
| /// <see cref="ServiceAccountCredential"/> inherits from this class in order to support Service Account. More |
| /// https://cloud.google.com/compute/docs/authentication. | ||
| /// </para> | ||
| /// <para> | ||
| /// <see cref="ExternalAccountCredential"/> inherits from this class to support both Workload Indentity Federation |
| /// and Workforce Identity Federation. You can read more about these topics in | ||
| /// https://cloud.google.com/iam/docs/workload-identity-federation and | ||
| /// https://cloud.google.com/iam/docs/workforce-identity-federation respectively. | ||
| /// Note that in the case of Workforce Identity Federation, the external account does not represent a service acount |
| /// https://cloud.google.com/iam/docs/workforce-identity-federation respectively. | ||
| /// Note that in the case of Workforce Identity Federation, the external account does not represent a service acount | ||
| /// but a user account, so, the fact that <see cref="ExternalAccountCredential"/> inherits from <see cref="ServiceCredential"/> | ||
| /// might be construed as missleading. In reality <see cref="ServiceCredential"/> it's not tied to a service account |
| /// Note that in the case of Workforce Identity Federation, the external account does not represent a service acount | ||
| /// but a user account, so, the fact that <see cref="ExternalAccountCredential"/> inherits from <see cref="ServiceCredential"/> | ||
| /// might be construed as missleading. In reality <see cref="ServiceCredential"/> it's not tied to a service account | ||
| /// implementation wise, only name wise, for instance, a better name for this class might have been NoUserFlowCredential, and |
lsirac
reviewed
Sep 1, 2022
| public string ServiceAccountImpersonationUrl { get; } | ||
|
|
||
| /// <summary> | ||
| /// The GCP project ID or project number to be used for Workforce Pools |
There was a problem hiding this comment.
At the time I wrote the doc the project ID was not yet supported. Not sure if that changed, just FYI
Contributor
Author
There was a problem hiding this comment.
Public docs still only mention project number, I'll change the text to only mention project number.
amanda-tarafa
force-pushed
the
workforce-pools
branch
from
522effd to
34ce5a2
Compare
amanda-tarafa
added a commit
to amanda-tarafa/google-api-dotnet-client
that referenced
this pull request
Oct 18, 2022
Features - googleapis#2228 Supports Quota Project environment variable for ADC. - googleapis#2219 Removes obsolete OOB code. BREAKING CHANGE: We have removed OOB support from the library because the feature is not supported by Google OAuth as of October 3rd 2022. See the [official announcement](https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#disallowed-oob) for more information. - googleapis#2216 Log errors when trying to reach Compute's metadata server. - googleapis#2177, googleapis#2197, googleapis#2200, googleapis#2206, googleapis#2215, googleapis#2235 Support for Workload Identity Federation and Worforce Identity Federation. - googleapis#2103 Compute credentials support explicit scopes. - googleapis#2096 Improves deserialization error handling.
amanda-tarafa
added a commit
that referenced
this pull request
Oct 18, 2022
Features - #2228 Supports Quota Project environment variable for ADC. - #2219 Removes obsolete OOB code. BREAKING CHANGE: We have removed OOB support from the library because the feature is not supported by Google OAuth as of October 3rd 2022. See the [official announcement](https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#disallowed-oob) for more information. - #2216 Log errors when trying to reach Compute's metadata server. - #2177, #2197, #2200, #2206, #2215, #2235 Support for Workload Identity Federation and Worforce Identity Federation. - #2103 Compute credentials support explicit scopes. - #2096 Improves deserialization error handling.
amanda-tarafa
added a commit
to amanda-tarafa/google-api-dotnet-client
that referenced
this pull request
Nov 30, 2022
And support version: 1.58.0-beta02 => 1.58.0 Bug fixes: - googleapis#2273 Don't attempt to use an empty/null media type in batch responses - googleapis#2251 Which fixes a typo on then name of one of the AWS Credential environment variables. - googleapis#2264 Which adds a missing line break in AWS Credential canonical request. Features - googleapis#2269 Support per-request max retry configuration. - googleapis#2228 Supports Quota Project environment variable for ADC. - googleapis#2219 Removes obsolete OOB code. BREAKING CHANGE: We have removed OOB support from the library because the feature is not supported by Google OAuth as of October 3rd 2022. See the [official announcement](https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#disallowed-oob) for more information. - googleapis#2216 Log errors when trying to reach Compute's metadata server. - googleapis#2177, googleapis#2197, googleapis#2200, googleapis#2206, googleapis#2215, googleapis#2235 Support for Workload Identity Federation and Worforce Identity Federation. - googleapis#2103 Compute credentials support explicit scopes. - googleapis#2096 Improves deserialization error handling.
amanda-tarafa
added a commit
to amanda-tarafa/google-api-dotnet-client
that referenced
this pull request
Nov 30, 2022
And support version: 1.58.0-beta02 => 1.58.0 Dependencies: - Client libraries no longer target netstandard1.0 or net40. Bug fixes: - googleapis#2273 Don't attempt to use an empty/null media type in batch responses - googleapis#2251 Which fixes a typo on then name of one of the AWS Credential environment variables. - googleapis#2264 Which adds a missing line break in AWS Credential canonical request. Features - googleapis#2269 Support per-request max retry configuration. - googleapis#2228 Supports Quota Project environment variable for ADC. - googleapis#2219 Removes obsolete OOB code. BREAKING CHANGE: We have removed OOB support from the library because the feature is not supported by Google OAuth as of October 3rd 2022. See the [official announcement](https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#disallowed-oob) for more information. - googleapis#2216 Log errors when trying to reach Compute's metadata server. - googleapis#2177, googleapis#2197, googleapis#2200, googleapis#2206, googleapis#2215, googleapis#2235 Support for Workload Identity Federation and Worforce Identity Federation. - googleapis#2103 Compute credentials support explicit scopes. - googleapis#2096 Improves deserialization error handling.
amanda-tarafa
added a commit
that referenced
this pull request
Nov 30, 2022
And support version: 1.58.0-beta02 => 1.58.0 Dependencies: - Client libraries no longer target netstandard1.0 or net40. Bug fixes: - #2273 Don't attempt to use an empty/null media type in batch responses - #2251 Which fixes a typo on then name of one of the AWS Credential environment variables. - #2264 Which adds a missing line break in AWS Credential canonical request. Features - #2269 Support per-request max retry configuration. - #2228 Supports Quota Project environment variable for ADC. - #2219 Removes obsolete OOB code. BREAKING CHANGE: We have removed OOB support from the library because the feature is not supported by Google OAuth as of October 3rd 2022. See the [official announcement](https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#disallowed-oob) for more information. - #2216 Log errors when trying to reach Compute's metadata server. - #2177, #2197, #2200, #2206, #2215, #2235 Support for Workload Identity Federation and Worforce Identity Federation. - #2103 Compute credentials support explicit scopes. - #2096 Improves deserialization error handling.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
FYI: @lsirac, @jpassing, @moserware