Support authentication with external_account with Workload Identity Federation #606
Description
I try to run an app from a GitHub workflow. It needs to communicate with Google Cloud. The workflow uses Workload Identity Federation to authenticate. It produces a key of the type external_account while googleapis_auth currently only handles the type service_account.
Given that Workflow Identity Federation is the recommended way to access Google Cloud resources, I think this should be fixed.
Steps to Reproduce
1. Create a project and configure Workload Identity Federation:
export PROJECT='my-project-id'
export ORGANIZATION='my-organization-id'
export GITHUB_USERNAME='my-github-username'
export REPO='my-github-repo'
gcloud projects create $PROJECT --name=$PROJECT --organization=$ORGANIZATION
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT --format='value(projectNumber)')
gcloud services enable cloudbilling.googleapis.com --project=$PROJECT
gcloud services enable iam.googleapis.com --project=$PROJECT
gcloud iam service-accounts create "testing" --project=$PROJECT
gcloud projects add-iam-policy-binding $PROJECT \
--member="serviceAccount:testing@$PROJECT.iam.gserviceaccount.com" \
--role="roles/owner" \
--project=$PROJECT
gcloud iam workload-identity-pools create "github" --location="global" --project=$PROJECT
gcloud iam \
workload-identity-pools providers create-oidc "github" \
--attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository" \
--issuer-uri="https://token.actions.githubusercontent.com" \
--location="global" \
--workload-identity-pool="github" \
--project=$PROJECT
gcloud projects add-iam-policy-binding $PROJECT \
--member="principalSet://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/github/attribute.repository/$GITHUB_USERNAME/$REPO" \
--role="roles/viewer" \
--project=$PROJECT2. Create a Dart app
pubspec.yaml:
name: test1
publish_to: none
environment:
sdk: ^3.2.2
dependencies:
googleapis_auth: ^1.4.1
main.dart:
import 'dart:io';
import 'package:googleapis_auth/auth_io.dart';
Future<void> main() async {
print(File(Platform.environment['GOOGLE_APPLICATION_CREDENTIALS']!).readAsStringSync());
await clientViaApplicationDefaultCredentials(scopes: []);
}3. Set up the workflow
Create the repository variables: PROJECT_NAME, PROJECT_NUMBER.
The workflow:
on:
- workflow_dispatch
jobs:
test:
permissions:
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: 'google-github-actions/auth@v2.1.2'
with:
workload_identity_provider: 'projects/${{ vars.PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github/providers/github'
service_account: 'testing@${{ vars.PROJECT_NAME }}.iam.gserviceaccount.com'
- uses: dart-lang/setup-dart@v1
with:
sdk: 3.3.2
- name: 'Test'
run: |
dart pub get
dart main.dart4. Run the workflow
Expected
No error
Actual
Run dart pub get
dart pub get
dart main.dart
shell: /usr/bin/bash -e {0}
env:
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/my-github-repo/my-github-repo/gha-creds-5647adab863c00a9.json
GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/my-github-repo/my-github-repo/gha-creds-5647adab863c00a9.json
GOOGLE_GHA_CREDS_PATH: /home/runner/work/my-github-repo/my-github-repo/gha-creds-5647adab863c00a9.json
CLOUDSDK_CORE_PROJECT: my-project-id
CLOUDSDK_PROJECT: my-project-id
GCLOUD_PROJECT: my-project-id
GCP_PROJECT: my-project-id
GOOGLE_CLOUD_PROJECT: my-project-id
DART_HOME: /opt/hostedtoolcache/dart/3.3.2/x64
PUB_CACHE: /home/runner/.pub-cache
PUB_TOKEN: ***
Resolving dependencies...
+ args 2.4.2
+ async 2.11.0
+ collection 1.18.0
+ crypto 3.0.3
+ google_identity_services_web 0.3.1+1
+ googleapis_auth 1.5.0
+ http 1.2.1
+ http_parser 4.0.2
+ meta 1.12.0
+ path 1.9.0
+ source_span 1.10.0
+ string_scanner 1.2.0
+ term_glyph 1.2.1
+ typed_data 1.3.2
+ web 0.5.1
Changed 15 dependencies!
{"type":"external_account","audience":"//iam.googleapis.com/projects/my-project-number/locations/global/workloadIdentityPools/github/providers/github","subject_token_type":"urn:ietf:params:oauth:token-type:jwt","token_url":"https://sts.googleapis.com/v1/token","credential_source":{"url":"https://pipelinesghubeus14.actions.githubusercontent.com/***/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/***/jobs/5264e576-3c6f-51f6-f055-fab409685f20/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2Fmy-project-number%2Flocations%2Fglobal%2FworkloadIdentityPools%2Fgithub%2Fproviders%2Fgithub","headers":{"Authorization":"***"},"format":{"type":"json","subject_token_field_name":"value"}},"service_account_impersonation_url":"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/testing@my-project-id.iam.gserviceaccount.com:generateAccessToken"}
Unhandled exception:
Invalid argument(s): The given credentials are not of type service_account (was: external_account).
#0 new ServiceAccountCredentials.fromJson (package:googleapis_auth/src/service_account_credentials.dart:55:7)
#1 fromApplicationsCredentialsFile (package:googleapis_auth/src/adc_utils.dart:59:31)
<asynchronous suspension>
#2 clientViaApplicationDefaultCredentials (package:googleapis_auth/auth_io.dart:61:12)
<asynchronous suspension>
#3 main (file:///home/runner/work/my-github-repo/my-github-repo/main.dart:7:3)
<asynchronous suspension>
Error: Process completed with exit code 255.