Skip to content

Add examples of using gcloud cli to generate transient GCS bucket credentials (HMAC key or service account json key) #475

New issue
New issue
Closed as not planned
Closed as not planned
Add examples of using gcloud cli to generate transient GCS bucket credentials (HMAC key or service account json key)#475
Labels
enhancementNew feature or request
@gberche-orange

Description

@gberche-orange
gberche-orange
opened on Apr 23, 2025

TL;DR

As a github action workflow user authenticating to GCP using Workload Identity Federation,
In order to publish objects to a GCS bucket using off the shelf tooling only supporting HMAC keys or Service account private key credentials
I need an example of how to use google-github-actions/auth to generate a transient HMAC key or Service account private key credential for a GCS bucket, before using to publish Objects in the bucket

Detailed design

Studying the documentation, I was planning on using the Direct Workload Identity Federation, followed by a gcloud call to iam service to create a transient HMAC or service account private key.

The following test shows the format of the saved credentials

auth/tests/client/workload_identity_client.test.ts

Lines 27 to 56 in 71f9864

test('#createCredentialsFile', { concurrency: true }, async (suite) => {
await suite.test('writes the file', async () => {
const outputFile = pathjoin(tmpdir(), randomFilename());
const client = new WorkloadIdentityFederationClient({
logger: new NullLogger(),
universe: 'googleapis.com',
githubOIDCToken: 'my-token',
githubOIDCTokenRequestURL: 'https://example.com/',
githubOIDCTokenRequestToken: 'token',
githubOIDCTokenAudience: 'my-aud',
workloadIdentityProviderName: 'my-provider',
});
const exp = {
audience: '//iam.googleapis.com/my-provider',
credential_source: {
format: {
subject_token_field_name: 'value',
type: 'json',
},
headers: {
Authorization: 'Bearer token',
},
url: 'https://example.com/?audience=my-aud',
},
subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
token_url: 'https://sts.googleapis.com/v1/token',
type: 'external_account',
};

I'm not yet clear on how to use the saved credentials in the gcloud cli (in order to generate a transient HMAC/ Service account key)

The following resources were hard to understand and an example would greatly help

https://cloud.google.com/sdk/docs/authorizing#wlif

To authorize the gcloud CLI with a service account using external credentials from Workload Identity Federation

https://google.aip.dev/auth/4117 points to https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#oidc and then https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#file-sourced-credentials

the gcloud CLI, and Terraform, can automatically obtain external credentials, and use these credentials to access Google Cloud. To let libraries and tools complete this process, you have to provide a credential configuration file. This file defines the following:

Where to obtain external credentials from
Which workload identity pool and provider to use
Which service account to impersonate, if you use service account impersonation

File-sourced credentials: The libraries read the external credential from a local plain text or JSON file.

Additional information

Details about the GCS client that does not support Oauth bearer token as an authN mechanism

Support for GCS XML api with HMAC (S3 api)
https://bosh.io/docs/director-configure-blobstore/#default

Support for service account with private key in json format

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions