Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connect to IAP protected endpoint with Workload Identity Federation #1545

Open
michajas opened this issue May 12, 2023 · 3 comments
Open

Connect to IAP protected endpoint with Workload Identity Federation #1545

michajas opened this issue May 12, 2023 · 3 comments
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@michajas
Copy link

Hi!
I'm trying to create setup where I can run my code that will impersonate SA based on Workload Identity Federation and then call IAP protected endpoint (running on Cloud Run).
I've managed to do such setup with Python library but I'm unable to do it in nodejs.

I've tried to combine samples regarding WIF and IAP but without any luck.

When running const client = await auth.getIdTokenClient(targetAudience); I'm getting error: Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to a service account credentials JSON file.
My GOOGLE_APPLICATION_CREDENTIALS var is pointing to valid external_account credentials file.

Could you please point me to right solution?

@michajas michajas added priority: p3 Desirable enhancement or fix. May not be included in next release. type: question Request for information or clarification. Not an issue. labels May 12, 2023
ddelgrosso1 pushed a commit to ddelgrosso1/google-auth-library-nodejs that referenced this issue May 16, 2023
* fix: add hashes to requirements.txt

and update Docker images so they require hashes.

* fix: add hashes to docker/owlbot/java/src

* Squashed commit of the following:

commit ab7384ea1c30df8ec2e175566ef2508e6c3a2acb
Author: Jeffrey Rennie <rennie@google.com>
Date:   Tue Aug 23 11:38:48 2022 -0700

    fix: remove pip install statements (googleapis#1546)

    because the tools are already installed in the docker image as of googleapis/testing-infra-docker#227

commit 302667c9ab7210da42cc337e8f39fe1ea99049ef
Author: WhiteSource Renovate <bot@renovateapp.com>
Date:   Tue Aug 23 19:50:28 2022 +0200

    chore(deps): update dependency setuptools to v65.2.0 (googleapis#1541)

    Co-authored-by: Anthonios Partheniou <partheniou@google.com>

commit 6e9054fd91d1b500cae58ff72ee9aeb626077756
Author: WhiteSource Renovate <bot@renovateapp.com>
Date:   Tue Aug 23 19:42:51 2022 +0200

    chore(deps): update dependency nbconvert to v7 (googleapis#1543)

    Co-authored-by: Anthonios Partheniou <partheniou@google.com>

commit d229a1258999f599a90a9b674a1c5541e00db588
Author: Alexander Fenster <fenster@google.com>
Date:   Mon Aug 22 15:04:53 2022 -0700

    fix: update google-gax and remove obsolete deps (googleapis#1545)

commit 13ce62621e70059b2f5e3a7bade735f91c53339c
Author: Jeffrey Rennie <rennie@google.com>
Date:   Mon Aug 22 11:08:21 2022 -0700

    chore: remove release config and script (googleapis#1540)

    We don't release to pypi anymore.

* chore: rollback java changes

to move forward with other languages until Java's docker image is fixed
Source-Link: googleapis/synthtool@4826337
Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-nodejs:latest@sha256:7fefeb9e517db2dd8c8202d9239ff6788d6852bc92dd3aac57a46059679ac9de

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
@sofisl
Copy link
Contributor

sofisl commented May 25, 2023

Hi @michajas, we haven't yet supported this feature unfortunately. We are discussing the FR as it's been requested in a few other issues on this repo. We'll update once we have an answer!

@sofisl sofisl added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. and removed type: question Request for information or clarification. Not an issue. labels May 25, 2023
@danielbankhead danielbankhead changed the title Connect to IAP protected endpoint with Workload Identity Federatin Connect to IAP protected endpoint with Workload Identity Federation Oct 2, 2023
@aryzle
Copy link

aryzle commented Jun 3, 2024

hey @sofisl @danielbankhead I'm also stuck on this, any word on this FR? or is there a way to workaround this? I'm trying to run automated tests in a GH action using playwright by hitting an app that's behind IAP. Works locally with my own credentials

@dwiq-jskander
Copy link

In the same situation here. Github Actions + Workload Identity Federation. We're able to impersonate the Github Actions SA locally and auth to IAP without issue. The issue appears to be isolated to WIF and not just impersonation of a SA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Development

No branches or pull requests

4 participants