Workload identity federation with @google-cloud

Question

Does anybody know if there are any other ways of authentication/authorization for access to Google Cloud Storage besides of Service Account key when I use @google-cloud/storage Node.js module from here? I have read about “Workload identity federation”, but it seems for me that I cannot use this approach when I use @google-cloud/storage library. I was not able to find any suitable constructor, only these two:

const {Storage} = require('@google-cloud/storage');
var storage = new Storage({
  projectId   : `my_google_project_id`,
  keyFilename : `my_google_key_file.json`   // service account key is inside of this file
});
// or this one:
var storage = new Storage();    // service account key is inside of file specified by environment variable GOOGLE_APPLICATION_CREDENTIALS

Any recommendations? Thank you

Answer 1

Most Google Clients support a new secrets key file with the type external_account. The following demonstrates how to create this file and setup Application Default Credentials (ADC) to load this file.

To use Workload Identity Federation with Google Client libraries, save the federated credentials to a file and then specify that file via the environment variable GOOGLE_APPLICATION_CREDENTIALS. The Storage client will use ADC and locate the credentials from the environment.

Example for AWS:

# Generate an AWS configuration file.
gcloud iam workload-identity-pools create-cred-config \
    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AWS_PROVIDER_ID \
    --service-account $SERVICE_ACCOUNT_EMAIL \
    --aws \
    --output-file /path/to/generated/config.json

Example for Azure:

# Generate an Azure configuration file.
gcloud iam workload-identity-pools create-cred-config \
    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AZURE_PROVIDER_ID \
    --service-account $SERVICE_ACCOUNT_EMAIL \
    --azure \
    --output-file /path/to/generated/config.json

Note: I generated my credentials on an Azure VM. I added the following command line option to the above command:

--app-id-uri=https://iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/pool-azure/providers/provider-id

The output-file value is used to set the environment:

set GOOGLE_APPLICATION_CREDENTIALS=/path/to/generated/config.json

The file has the following structure. This example is for Azure:

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/pool-azure/providers/provider-id",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "url": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/pool-azure/providers/provider-id",
    "headers": {
      "Metadata": "True"
    },
    "format": {
      "type": "json",
      "subject_token_field_name": "access_token"
    }
  },
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
}

Use this style to create a client:

var storage = new Storage();