feat: adds service account impersonation to ExternalAccountClient
#1041
Conversation
* chore: updated samples/package.json [ci skip] * chore: updated CHANGELOG.md [ci skip] * chore: updated package.json Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
This PR was generated using Autosynth. 🌈 Synth log will be available here: https://source.cloud.google.com/results/invocations/5f7f9c6d-c75a-4c60-8bb8-0026a14cead7/targets - [ ] To automatically regenerate this PR, check this box. Source-Link: googleapis/synthtool@94421c4
This PR was generated using Autosynth. 🌈 Synth log will be available here: https://source.cloud.google.com/results/invocations/b742586e-df31-4aac-8092-78288e9ea8e7/targets - [ ] To automatically regenerate this PR, check this box. Source-Link: googleapis/synthtool@bd0deaa
This PR was generated using Autosynth. 🌈 - [ ] To automatically regenerate this PR, check this box. Source-Link: googleapis/synthtool@5747555
* chore: updated samples/package.json [ci skip] * chore: updated CHANGELOG.md [ci skip] * chore: updated package.json Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
If the service_account_impersonation_url is provided, an additional step to exchange the external account GCP access token for a service account impersonated token is performed. This is needed because many Google Cloud services do not yet support external account GCP access tokens.
Codecov Report
@@ Coverage Diff @@
## byoid #1041 +/- ##
========================================
Coverage ? 92.95%
========================================
Files ? 24
Lines ? 4952
Branches ? 572
========================================
Hits ? 4603
Misses ? 349
Partials ? 0 Continue to review full report at Codecov.
|
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
google-cla
bot
added
the
cla: no
|
Note that the changes in test.externalclient.ts are half of what they actually appear in the GitHub diff. Visual code seems to catch the indentations and not treat them as changes whereas GitHub detects them as new changes. Previous structure: New changes: |
|
☝️ @JustinBeckwith pointed this setting out to me the other day, if you ever bump into a situation where whitespace is making review hard. |
👍 Wow, this is super helpful. I didn't know about this. Thanks for sharing. I don't know why this setting isn't on by default. |
feat: implements the OAuth token exchange spec based on rfc8693 (#1026) feat: defines ExternalAccountClient abstract class for external_account credentials (#1030) feat: adds service account impersonation to `ExternalAccountClient` (#1041) feat: defines `IdentityPoolClient` used for K8s and Azure workloads (#1042) feat: implements AWS signature version 4 for signing requests (#1047) feat: defines `ExternalAccountClient` used to instantiate external account clients (#1050) feat!: integrates external_accounts with `GoogleAuth` and ADC (#1052) feat: adds text/json credential_source support to IdentityPoolClients (#1059) feat: get AWS region from environment variable (#1067) Co-authored-by: Wilfred van der Deijl <wilfred@vanderdeijl.com> Co-authored-by: Benjamin E. Coe <bencoe@google.com>
If the service_account_impersonation_url is provided, an additional step to exchange the external account GCP access token for a service account impersonated token is performed.
This is needed because many Google Cloud services do not yet support external account GCP access tokens.