From 1bf906931b4d861739da43348cc89bfaeee596e4 Mon Sep 17 00:00:00 2001 From: aeitzman Date: Tue, 30 Jan 2024 11:37:48 -0800 Subject: [PATCH 01/14] docs: adds readme for supplier based external account credentials --- README.md | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/README.md b/README.md index 4c6a3dff8..5c30726d3 100644 --- a/README.md +++ b/README.md @@ -470,6 +470,63 @@ credentials unless they do not meet your specific requirements. You can now [use the Auth library](#using-external-identities) to call Google Cloud resources from an OIDC or SAML provider. +#### Using a custom supplier with OIDC and SAML +A custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials +to supply a subject token which can be exchanged for a GCP access token. + +```java +class TokenSupplier implements IdentityPoolSubjectTokenSupplier { + @Override + String getSubjectToken(){ + // return a valid subject token for the configured identity. + } +} +``` +```java +TokenSupplier tokenSupplier = new TokenSupplier(); + IdentityPoolCredentials identityPoolCredentials = + IdentityPoolCredentials.newBuilder() + .setSubjectTokenSupplier(tokenSupplier) // Set token supplier. + .setAudience(...) // Set GCP audience + .setSubjectTokenType(SubjectTokenTypes.JWT) // Set subject token type. + .build(); +``` +Where the audience is the url of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). + +The values for audience, service account impersonation URL, and any other builder field can also be found by +generating a credential configuration file with the gcloud CLI. + +#### Using a custom supplier with AWS +A custom implementation of AWSSecurityCredentialsSupplier can be used while building AWSCredentials to supply +AWS security credentials which can be exchanged for a GCP access token. + +```java +class AwsSupplier implements AwsSecurityCredentialsSupplier { + @Override + AwsSecurityCredentials getAwsSecurityCredentials(){ + // return valid AwsSecurityCredentials for the configured identity. + } + + @Override + String getRegion(){ + // return the current AWS region, i.e. "us-east-2" + } +} +``` +```java +AwsSecurityCredentialsSupplier awsSupplier = new AwsSupplier(); +AwsCredentials credentials = AwsCredentials.newBuilder() + .setSubjectTokenType(SubjectTokenTypes.AWS4) // Set subject token type. + .setAudience(...) // Set GCP audience. + .setAwsSecurityCredentialsSupplier(supplier) // Set supplier. + .build(); +``` + +Where the audience is the url of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). + +The values for audience, service account impersonation URL, and any other builder field can also be found by +generating a credential configuration file with the gcloud CLI. + #### Configurable Token Lifetime When creating a credential configuration with workload identity federation using service account impersonation, you can provide an optional argument to configure the service account access token lifetime. From 4231fadcdd468a756bede5c2830c24968f7e6d36 Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Thu, 1 Feb 2024 08:15:38 -0800 Subject: [PATCH 02/14] Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 5c30726d3..6602af708 100644 --- a/README.md +++ b/README.md @@ -484,12 +484,12 @@ class TokenSupplier implements IdentityPoolSubjectTokenSupplier { ``` ```java TokenSupplier tokenSupplier = new TokenSupplier(); - IdentityPoolCredentials identityPoolCredentials = - IdentityPoolCredentials.newBuilder() - .setSubjectTokenSupplier(tokenSupplier) // Set token supplier. - .setAudience(...) // Set GCP audience - .setSubjectTokenType(SubjectTokenTypes.JWT) // Set subject token type. - .build(); +IdentityPoolCredentials identityPoolCredentials = + IdentityPoolCredentials.newBuilder() + .setSubjectTokenSupplier(tokenSupplier) // Set token supplier. + .setAudience(...) // Set GCP audience + .setSubjectTokenType(SubjectTokenTypes.JWT) // Set subject token type. + .build(); ``` Where the audience is the url of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). From 4be4b141fa9073bc3ace5bff7f035f194c771629 Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Thu, 1 Feb 2024 08:15:53 -0800 Subject: [PATCH 03/14] Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6602af708..9859402e0 100644 --- a/README.md +++ b/README.md @@ -504,7 +504,7 @@ AWS security credentials which can be exchanged for a GCP access token. class AwsSupplier implements AwsSecurityCredentialsSupplier { @Override AwsSecurityCredentials getAwsSecurityCredentials(){ - // return valid AwsSecurityCredentials for the configured identity. + // Return valid AwsSecurityCredentials for the configured identity. } @Override From 8834075c14f60cfa8d33a48832bab3fbd3e3e0bb Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Thu, 1 Feb 2024 08:16:06 -0800 Subject: [PATCH 04/14] Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9859402e0..d09a08b0a 100644 --- a/README.md +++ b/README.md @@ -509,7 +509,7 @@ class AwsSupplier implements AwsSecurityCredentialsSupplier { @Override String getRegion(){ - // return the current AWS region, i.e. "us-east-2" + // Return the current AWS region, i.e. "us-east-2". } } ``` From b2fb2055d1f807e8cf1ab5057ebe8e34cc629833 Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Thu, 1 Feb 2024 08:16:18 -0800 Subject: [PATCH 05/14] Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d09a08b0a..7b31e62ba 100644 --- a/README.md +++ b/README.md @@ -478,7 +478,7 @@ to supply a subject token which can be exchanged for a GCP access token. class TokenSupplier implements IdentityPoolSubjectTokenSupplier { @Override String getSubjectToken(){ - // return a valid subject token for the configured identity. + // Return a valid subject token for the configured identity. } } ``` From d9c16ecf282d572fc738c413c663575b76c91d70 Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Thu, 1 Feb 2024 08:16:35 -0800 Subject: [PATCH 06/14] Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b31e62ba..44f5a5179 100644 --- a/README.md +++ b/README.md @@ -491,7 +491,7 @@ IdentityPoolCredentials identityPoolCredentials = .setSubjectTokenType(SubjectTokenTypes.JWT) // Set subject token type. .build(); ``` -Where the audience is the url of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). +Where the audience is the URL of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). The values for audience, service account impersonation URL, and any other builder field can also be found by generating a credential configuration file with the gcloud CLI. From 97cf835bc4ddfbe218e5528105df9e6855787a6e Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Thu, 1 Feb 2024 08:17:03 -0800 Subject: [PATCH 07/14] Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 44f5a5179..bda0778f9 100644 --- a/README.md +++ b/README.md @@ -497,8 +497,7 @@ The values for audience, service account impersonation URL, and any other builde generating a credential configuration file with the gcloud CLI. #### Using a custom supplier with AWS -A custom implementation of AWSSecurityCredentialsSupplier can be used while building AWSCredentials to supply -AWS security credentials which can be exchanged for a GCP access token. +A custom implementation of AwsSecurityCredentialsSupplier can be provided when initializing AwsCredentials. If provided, the AwsCredentials instance will defer to the supplier to retrieve AWS security credentials to exchange for a GCP access token. ```java class AwsSupplier implements AwsSecurityCredentialsSupplier { From 5c693b4c738f3d1a035730f8205e19d13a720254 Mon Sep 17 00:00:00 2001 From: aeitzman Date: Thu, 1 Feb 2024 08:32:42 -0800 Subject: [PATCH 08/14] addressing review --- README.md | 50 ++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index bda0778f9..fd9ff95da 100644 --- a/README.md +++ b/README.md @@ -472,18 +472,19 @@ resources from an OIDC or SAML provider. #### Using a custom supplier with OIDC and SAML A custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials -to supply a subject token which can be exchanged for a GCP access token. +to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid, +unexpired subject token when called by the GCP credential. ```java -class TokenSupplier implements IdentityPoolSubjectTokenSupplier { +class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { @Override - String getSubjectToken(){ + String getSubjectToken() { // Return a valid subject token for the configured identity. } } ``` ```java -TokenSupplier tokenSupplier = new TokenSupplier(); +CustomTokenSupplier tokenSupplier = new CustomTokenSupplier(); IdentityPoolCredentials identityPoolCredentials = IdentityPoolCredentials.newBuilder() .setSubjectTokenSupplier(tokenSupplier) // Set token supplier. @@ -494,26 +495,27 @@ IdentityPoolCredentials identityPoolCredentials = Where the audience is the URL of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). The values for audience, service account impersonation URL, and any other builder field can also be found by -generating a credential configuration file with the gcloud CLI. +generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config). #### Using a custom supplier with AWS A custom implementation of AwsSecurityCredentialsSupplier can be provided when initializing AwsCredentials. If provided, the AwsCredentials instance will defer to the supplier to retrieve AWS security credentials to exchange for a GCP access token. +The supplier must return valid, unexpired AWS security credentials when called by the GCP credential. ```java -class AwsSupplier implements AwsSecurityCredentialsSupplier { +class CustomAwsSupplier implements AwsSecurityCredentialsSupplier { @Override - AwsSecurityCredentials getAwsSecurityCredentials(){ + AwsSecurityCredentials getAwsSecurityCredentials() { // Return valid AwsSecurityCredentials for the configured identity. } @Override - String getRegion(){ + String getRegion() { // Return the current AWS region, i.e. "us-east-2". } } ``` ```java -AwsSecurityCredentialsSupplier awsSupplier = new AwsSupplier(); +CustomAwsSupplier awsSupplier = new CustomAwsSupplier(); AwsCredentials credentials = AwsCredentials.newBuilder() .setSubjectTokenType(SubjectTokenTypes.AWS4) // Set subject token type. .setAudience(...) // Set GCP audience. @@ -524,7 +526,7 @@ AwsCredentials credentials = AwsCredentials.newBuilder() Where the audience is the url of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). The values for audience, service account impersonation URL, and any other builder field can also be found by -generating a credential configuration file with the gcloud CLI. +generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config). #### Configurable Token Lifetime When creating a credential configuration with workload identity federation using service account impersonation, you can provide an optional argument to configure the service account access token lifetime. @@ -760,6 +762,34 @@ specified below. It must output the response to stdout. Refer to the [using executable-sourced credentials with Workload Identity Federation](#using-executable-sourced-credentials-with-oidc-and-saml) above for the executable response specification. +#### Using a custom supplier with OIDC and SAML +A custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials +to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid, +unexpired subject token when called by the GCP credential. + +```java +class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { + @Override + String getSubjectToken() { + // Return a valid subject token for the configured identity. + } +} +``` +```java +CustomTokenSupplier tokenSupplier = new CustomTokenSupplier(); +IdentityPoolCredentials identityPoolCredentials = + IdentityPoolCredentials.newBuilder() + .setSubjectTokenSupplier(tokenSupplier) // Set token supplier. + .setAudience(...) // Set GCP audience + .setSubjectTokenType(SubjectTokenTypes.JWT) // Set subject token type. + .setWorkforcePoolUserProject(...) // Set workforce pool user project. + .build(); +``` +Where the audience is the URL of the [workforce pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). + +The values for audience, service account impersonation URL, and any other builder field can also be found by +generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#use_configuration_files_for_sign-in). + ##### Security considerations The following security practices are highly recommended: * Access to the script should be restricted as it will be displaying credentials to stdout. This ensures that rogue processes do not gain access to the script. From 342402babc6b24a0f445c6a2c69cae7125b7c211 Mon Sep 17 00:00:00 2001 From: aeitzman Date: Thu, 1 Feb 2024 14:17:39 -0800 Subject: [PATCH 09/14] Addressing comments --- README.md | 97 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 87 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index fd9ff95da..e9e1f21be 100644 --- a/README.md +++ b/README.md @@ -475,11 +475,34 @@ A custom implementation of IdentityPoolSubjectTokenSupplier can be used while bu to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid, unexpired subject token when called by the GCP credential. +IdentityPoolCredentials do not cache the returned token, so caching logic should be +implemented in the token supplier to prevent multiple requests for the same subject token. + ```java -class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { +import java.io.IOException; + +public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { + @Override - String getSubjectToken() { - // Return a valid subject token for the configured identity. + public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException { + // Any call to the supplier will pass a context object with the requested + // audience and subject token type. + string audience = context.getAudience(); + string tokenType = context.getSubjectTokenType(); + + try { + // Return a valid, unexpected token for the requested audience and token type. + // Note that IdentityPoolCredentials do not cache the subject token so + // any caching logic needs to be implemented in the token supplier. + return retrieveToken(audience, tokenType); + } catch (exception e) { + // If token cannot be retrieved, throw IOException. + throw new IOException(e); + } + } + + private String retrieveToken(string tokenType, string audience) { + // Retrieve a subject token of the requested type for the requested audience. } } ``` @@ -501,16 +524,47 @@ generating a [credential configuration file with the gcloud CLI](https://cloud.g A custom implementation of AwsSecurityCredentialsSupplier can be provided when initializing AwsCredentials. If provided, the AwsCredentials instance will defer to the supplier to retrieve AWS security credentials to exchange for a GCP access token. The supplier must return valid, unexpired AWS security credentials when called by the GCP credential. +AwsCredentials do not cache the returned AWS security credentials or region, so caching logic should be +implemented in the supplier to prevent multiple requests for the same resources. + ```java class CustomAwsSupplier implements AwsSecurityCredentialsSupplier { @Override - AwsSecurityCredentials getAwsSecurityCredentials() { - // Return valid AwsSecurityCredentials for the configured identity. + AwsSecurityCredentials getAwsSecurityCredentials(ExternalAccountSupplierContext context) throws IOException { + // Any call to the supplier will pass a context object with the requested + // audience + string audience = context.getAudience(); + + try { + // Return valid, unexpired AWS security credentials for the requested audience. + // Note that AwsCredentials do not cache the AWS security credentials so + // any caching logic needs to be implemented in the credentials' supplier. + return retrieveAwsSecurityCredentials(audience); + } catch (exception e) { + // If credentials cannot be retrieved, throw IOException. + throw new IOException(e); + } } @Override - String getRegion() { - // Return the current AWS region, i.e. "us-east-2". + String getRegion(ExternalAccountSupplierContext context) throws IOException { + try { + // Return a valid AWS region. i.e. "us-east-2" + // Note that AwsCredentials do not cache the region so + // any caching logic needs to be implemented in the credentials' supplier. + return retrieveAwsRegion(); + } catch (exception e) { + // If token cannot be retrieved, throw IOException. + throw new IOException(e); + } + } + + private AwsSecurityCredentials retrieveAwsSecurityCredentials(string audience) { + // Retrieve Aws security credentials for the requested audience. + } + + private String retrieveAwsRegion() { + // Retrieve current AWS region. } } ``` @@ -767,11 +821,34 @@ A custom implementation of IdentityPoolSubjectTokenSupplier can be used while bu to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid, unexpired subject token when called by the GCP credential. +IdentityPoolCredentials do not cache the returned token, so caching logic should be +implemented in the token supplier to prevent multiple requests for the same subject token. + ```java -class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { +import java.io.IOException; + +public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { + @Override - String getSubjectToken() { - // Return a valid subject token for the configured identity. + public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException { + // Any call to supplier will pass a context object with the requested + // audience and subject token type. + string audience = context.getAudience(); + string tokenType = context.getSubjectTokenType(); + + try { + // Return a valid, unexpected token for the requested audience and token type. + // Note that the IdentityPoolCredential does not cache the subject token so + // any caching logic needs to be implemented in the token supplier. + return retrieveToken(audience, tokenType); + } catch (exception e) { + // If token cannot be retrieved, throw IOException. + throw new IOException(e); + } + } + + private String retrieveToken(string tokenType, string audience) { + // Retrieve a subject token of the requested type for the requested audience. } } ``` From 17383ea5ff6be2b3ed674e0523ae094af70eb2f2 Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Fri, 2 Feb 2024 08:16:41 -0800 Subject: [PATCH 10/14] Apply suggestions from code review Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index e9e1f21be..5b14d8b16 100644 --- a/README.md +++ b/README.md @@ -511,7 +511,7 @@ CustomTokenSupplier tokenSupplier = new CustomTokenSupplier(); IdentityPoolCredentials identityPoolCredentials = IdentityPoolCredentials.newBuilder() .setSubjectTokenSupplier(tokenSupplier) // Set token supplier. - .setAudience(...) // Set GCP audience + .setAudience(...) // Set GCP audience. .setSubjectTokenType(SubjectTokenTypes.JWT) // Set subject token type. .build(); ``` @@ -577,7 +577,7 @@ AwsCredentials credentials = AwsCredentials.newBuilder() .build(); ``` -Where the audience is the url of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). +Where the audience is the URL of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). The values for audience, service account impersonation URL, and any other builder field can also be found by generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config). @@ -856,10 +856,10 @@ public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { CustomTokenSupplier tokenSupplier = new CustomTokenSupplier(); IdentityPoolCredentials identityPoolCredentials = IdentityPoolCredentials.newBuilder() - .setSubjectTokenSupplier(tokenSupplier) // Set token supplier. - .setAudience(...) // Set GCP audience - .setSubjectTokenType(SubjectTokenTypes.JWT) // Set subject token type. - .setWorkforcePoolUserProject(...) // Set workforce pool user project. + .setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier. + .setAudience(...) // Sets the GCP audience. + .setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type. + .setWorkforcePoolUserProject(...) // Sets the workforce pool user project. .build(); ``` Where the audience is the URL of the [workforce pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). From 977b1273fb340b3bb7bb5294016b0518a99d3c97 Mon Sep 17 00:00:00 2001 From: aeitzman Date: Fri, 2 Feb 2024 08:21:45 -0800 Subject: [PATCH 11/14] clean up workforce docs --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5b14d8b16..36ce3bc96 100644 --- a/README.md +++ b/README.md @@ -862,7 +862,14 @@ IdentityPoolCredentials identityPoolCredentials = .setWorkforcePoolUserProject(...) // Sets the workforce pool user project. .build(); ``` -Where the audience is the URL of the [workforce pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). +Where the audience is: +```//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/PROVIDER_ID``` + +Where the following variables need to be substituted: +- `WORKFORCE_POOL_ID`: The workforce pool ID. +- `PROVIDER_ID`: The provider ID. + +and the workforce pool user project is the project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project). The values for audience, service account impersonation URL, and any other builder field can also be found by generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#use_configuration_files_for_sign-in). From 52ef20f64871f3b610ef9c53493d3d342006bdc6 Mon Sep 17 00:00:00 2001 From: aeitzman Date: Fri, 2 Feb 2024 08:52:59 -0800 Subject: [PATCH 12/14] Addressing comments --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 36ce3bc96..060915fde 100644 --- a/README.md +++ b/README.md @@ -491,12 +491,12 @@ public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { string tokenType = context.getSubjectTokenType(); try { - // Return a valid, unexpected token for the requested audience and token type. + // Return a valid, unexpired token for the requested audience and token type. // Note that IdentityPoolCredentials do not cache the subject token so // any caching logic needs to be implemented in the token supplier. return retrieveToken(audience, tokenType); - } catch (exception e) { - // If token cannot be retrieved, throw IOException. + } catch (Exception e) { + // If token is unavailable, throw IOException. throw new IOException(e); } } @@ -540,8 +540,8 @@ class CustomAwsSupplier implements AwsSecurityCredentialsSupplier { // Note that AwsCredentials do not cache the AWS security credentials so // any caching logic needs to be implemented in the credentials' supplier. return retrieveAwsSecurityCredentials(audience); - } catch (exception e) { - // If credentials cannot be retrieved, throw IOException. + } catch (Exception e) { + // If credentials are unavailable, throw IOException. throw new IOException(e); } } @@ -553,8 +553,8 @@ class CustomAwsSupplier implements AwsSecurityCredentialsSupplier { // Note that AwsCredentials do not cache the region so // any caching logic needs to be implemented in the credentials' supplier. return retrieveAwsRegion(); - } catch (exception e) { - // If token cannot be retrieved, throw IOException. + } catch (Exception e) { + // If region is unavailable, throw IOException. throw new IOException(e); } } @@ -837,12 +837,12 @@ public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { string tokenType = context.getSubjectTokenType(); try { - // Return a valid, unexpected token for the requested audience and token type. + // Return a valid, unexpired token for the requested audience and token type. // Note that the IdentityPoolCredential does not cache the subject token so // any caching logic needs to be implemented in the token supplier. return retrieveToken(audience, tokenType); - } catch (exception e) { - // If token cannot be retrieved, throw IOException. + } catch (Exception e) { + // If token is unavailable, throw IOException. throw new IOException(e); } } From bfe560859a6549d7078c2185b52652d1166e139e Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Mon, 5 Feb 2024 09:30:06 -0800 Subject: [PATCH 13/14] Apply suggestions from code review Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 060915fde..5fee2d211 100644 --- a/README.md +++ b/README.md @@ -510,9 +510,9 @@ public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { CustomTokenSupplier tokenSupplier = new CustomTokenSupplier(); IdentityPoolCredentials identityPoolCredentials = IdentityPoolCredentials.newBuilder() - .setSubjectTokenSupplier(tokenSupplier) // Set token supplier. - .setAudience(...) // Set GCP audience. - .setSubjectTokenType(SubjectTokenTypes.JWT) // Set subject token type. + .setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier. + .setAudience(...) // Sets the GCP audience. + .setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type. .build(); ``` Where the audience is the URL of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). @@ -532,7 +532,7 @@ class CustomAwsSupplier implements AwsSecurityCredentialsSupplier { @Override AwsSecurityCredentials getAwsSecurityCredentials(ExternalAccountSupplierContext context) throws IOException { // Any call to the supplier will pass a context object with the requested - // audience + // audience. string audience = context.getAudience(); try { @@ -549,7 +549,7 @@ class CustomAwsSupplier implements AwsSecurityCredentialsSupplier { @Override String getRegion(ExternalAccountSupplierContext context) throws IOException { try { - // Return a valid AWS region. i.e. "us-east-2" + // Return a valid AWS region. i.e. "us-east-2". // Note that AwsCredentials do not cache the region so // any caching logic needs to be implemented in the credentials' supplier. return retrieveAwsRegion(); @@ -571,9 +571,9 @@ class CustomAwsSupplier implements AwsSecurityCredentialsSupplier { ```java CustomAwsSupplier awsSupplier = new CustomAwsSupplier(); AwsCredentials credentials = AwsCredentials.newBuilder() - .setSubjectTokenType(SubjectTokenTypes.AWS4) // Set subject token type. - .setAudience(...) // Set GCP audience. - .setAwsSecurityCredentialsSupplier(supplier) // Set supplier. + .setSubjectTokenType(SubjectTokenTypes.AWS4) // Sets the subject token type. + .setAudience(...) // Sets the GCP audience. + .setAwsSecurityCredentialsSupplier(supplier) // Sets the supplier. .build(); ``` @@ -863,11 +863,11 @@ IdentityPoolCredentials identityPoolCredentials = .build(); ``` Where the audience is: -```//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/PROVIDER_ID``` +```//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID``` Where the following variables need to be substituted: -- `WORKFORCE_POOL_ID`: The workforce pool ID. -- `PROVIDER_ID`: The provider ID. +- `$WORKFORCE_POOL_ID`: The workforce pool ID. +- `$PROVIDER_ID`: The provider ID. and the workforce pool user project is the project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project). From 7e3558abd9efa4d602363b4343eabc15b09dd4fe Mon Sep 17 00:00:00 2001 From: aeitzman Date: Tue, 6 Feb 2024 09:16:44 -0800 Subject: [PATCH 14/14] Adding audience documentation for workload --- README.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5fee2d211..149d4aa69 100644 --- a/README.md +++ b/README.md @@ -515,7 +515,12 @@ IdentityPoolCredentials identityPoolCredentials = .setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type. .build(); ``` -Where the audience is the URL of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). +Where the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is: +```//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID``` + +Where the following variables need to be substituted: +- `$WORKLOAD_POOL_ID`: The workload pool ID. +- `$PROVIDER_ID`: The provider ID. The values for audience, service account impersonation URL, and any other builder field can also be found by generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config). @@ -577,7 +582,12 @@ AwsCredentials credentials = AwsCredentials.newBuilder() .build(); ``` -Where the audience is the URL of the [workload pool](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience). +Where the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is: +```//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID``` + +Where the following variables need to be substituted: +- `$WORKLOAD_POOL_ID`: The workload pool ID. +- `$PROVIDER_ID`: The provider ID. The values for audience, service account impersonation URL, and any other builder field can also be found by generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config).