You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add support for the external_account service account type, which is used in Workload Identity Federation.
Background
When running in GitHib Actions, we can use Workload Identity Federation to exchange our GitHub Actions identity token for a corresponding Google Cloud Service Account credential. The credential looks like this:
Hi, i get the same problem with external_account credentials files from WIF while using gcloud.aio.storage ... this ends in gcloud.aio.auth :
lib/python3.11/site-packages/gcloud/aio/auth/token.py", line 162, in __init__ self.token_type = Type(self.service_data['type']) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/enum.py", line 712, in __call__ return cls.__new__(cls, value) ^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/enum.py", line 1135, in __new__ raise ve_exc ValueError: 'external_account' is not a valid Type
This is blocking for all my projects since WIF is the only accepted auth strategy in my job context
Hey folks! As of today, we now support 4/6 types... unfortunately, still not this one in particular. We'd be happy to accept a PR which adds support, but until then we do not currently have the internal capacity to build this.
I do believe one of our vendors is planning on switching over to making WIF mandatory, which would certainly put this on our internal roadmap, but for now please consider this ticket to be "in search of a contributor".
Summary
Add support for the
external_account
service account type, which is used in Workload Identity Federation.Background
When running in GitHib Actions, we can use Workload Identity Federation to exchange our GitHub Actions identity token for a corresponding Google Cloud Service Account credential. The credential looks like this:
Google describes this as "pluggable credentials" and this requires support in your software package.
Google supports six types for file-based credentials:
However, this library only supports three of these:
gcloud-aio/auth/gcloud/aio/auth/token.py
Lines 59 to 62 in 597ca5b
Minimum reproduction example
When running in GitHub Actions using a service account obtained through Workload Identity Federation, running the following script:
will yield the following error:
Possible workaround
It may be possible to use Google's library to obtain and token and then instead pass it to gcloud-aio.
See also
The text was updated successfully, but these errors were encountered: