Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Workload Identity Federation authentication #433

Closed
sshcherbakov opened this issue Nov 24, 2022 · 9 comments
Closed

Support Workload Identity Federation authentication #433

sshcherbakov opened this issue Nov 24, 2022 · 9 comments

Comments

@sshcherbakov
Copy link

sshcherbakov commented Nov 24, 2022
edited
Loading

Support Workload Identity Federation authentication by upgrading googleauth dependency to the latest version 1.3.0.

At the moment the "external_account" type of the GOOGLE_APPLICATION_CREDENTIALS are not supported and hence the GitHub Actions using google-github-actions/auth cannot benefit from keyless workload identity federation authentication.
@wyardley
Copy link

wyardley commented Feb 3, 2023

I'm seeing the same issue

>>>>>> Unable to read the default credential file: credentials type 'external_account' is not supported

@wyardley
Copy link

wyardley commented Feb 3, 2023

@sshcherbakov doesn't look like googleauth is pinned (and there's no lockfile)?

inspec-gcp/Gemfile

Line 7 in 4638409

gem 'googleauth'

Not sure how those get installed when the plugin gets vendored...

@wyardley
Copy link

wyardley commented Feb 4, 2023 

% bundle why googleauth
inspec-bin -> inspec -> train -> google-api-client -> googleauth
kitchen-inspec -> inspec -> train -> google-api-client -> googleauth
kitchen-terraform -> inspec -> train -> google-api-client -> googleauth
inspec-bin -> inspec -> train -> googleauth
kitchen-inspec -> inspec -> train -> googleauth
kitchen-terraform -> inspec -> train -> googleauth

So I think this actually needs to be handled here:
inspec/train#729

@rbclark
Copy link
Contributor

rbclark commented Feb 4, 2023

So I am actually utilizing Workload Identity Federation with inspec-gcp now, however it is not super straightforward to do. In order to do it properly there are multiple dependencies that need to be updated. Specifically this PR needs to be merged before the train can be set in motion. With that in mind, it should be possible now if you are willing to run a version of google-auth-library-ruby that I have on a branch of mine with that PR ported in and the version artificially lowered: https://github.com/rbclark/google-auth-library-ruby/tree/add-external-account-credentials

As a note #415 and #416 were both PRs to fix workload identity federation compatibility so once an appropriate version of google-auth-library-ruby is supported then Workload Identity Federation will just start working.

@wyardley
Copy link

wyardley commented Feb 4, 2023

Specifically googleapis/google-auth-library-ruby#414 needs to be merged before the train can be set in motion

Ah - thanks - I had seen that one and wondered if it was related (the AWS bit threw me a little).
Will this work for other OIDC providers?

With that in mind, it should be possible now if you are willing to run a version of google-auth-library-ruby that I have on a branch of mine with that PR ported in

Thanks - I saw your comment about that; appreciate it.
Since it's all via indirect dependencies, is there any trick to getting the forked version to override the version that bundler's getting?

I may just wait - the project I'm using it against doesn't have any real resources in it, so I can deal with using static credentials for a bit longer - just frustrating since test-kitchen / terraform work great already with OIDC.

@rbclark
Copy link
Contributor

rbclark commented Feb 6, 2023

Ah - thanks - I had seen that one and wondered if it was related (the AWS bit threw me a little). Will this work for other OIDC providers?

I personally only needed AWS for my use case so when I put up the PR it only contained support for AWS. At this point my work has been rolled up into another PR and I am unsure if they added support for additional providers.

Thanks - I saw your comment about that; appreciate it. Since it's all via indirect dependencies, is there any trick to getting the forked version to override the version that bundler's getting?

The Gemfile in my root project looks like this:

source "https://rubygems.org"

gem "googleauth", github: "rbclark/google-auth-library-ruby", branch: "add-external-account-credentials"

source "https://packagecloud.io/cinc-project/stable" do
  gem "cinc-auditor-bin"
end

If I remember correctly that caused all of the inspec packages to also use the correct googleauth dependency (due to the version number I have set on that branch).

@wyardley
Copy link

Seems like googleapis/google-auth-library-ruby#418 is now merged. Any further news, and is anyone working on adding support over here?

@wyardley
Copy link

wyardley commented Jul 4, 2023

#437

@balasubramanian-s
Copy link
Contributor

We have implemented support for Workload Identity Federation authentication. This feature is now available after updating the googleauth GCP libraries in the train repository inspec/train#767

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rbclark @sshcherbakov @wyardley @balasubramanian-s