feat: add CLI commands#20
Conversation
| // Credentials. This works on GCE, Cloud Run, GKE, and anywhere a service | ||
| // account key or workload identity federation is configured. | ||
| func FromGCP(ctx context.Context, audience string) (string, error) { | ||
| ts, err := idtoken.NewTokenSource(ctx, audience) |
There was a problem hiding this comment.
When --token-source=gcp is used on a dev VM that has gcloud auth application-default login configured, idtoken.NewTokenSource walks the standard ADC chain (1. env var, 2. ~/.config/gcloud/application_default_credentials.json, 3. metadata server). Step 2 hits the user's gcloud login first; idtoken rejects it because user credentials can't mint audience-restricted ID tokens and the chain doesn't fall through to the metadata server.
I was able to work around it by renaming ~/.config/gcloud/application_default_credentials.json but that's a bit unintuitive.
IMO, we should do something like:
import "cloud.google.com/go/compute/metadata"
tok, err := metadata.GetWithContext(ctx, instance/service-accounts/default/identity?audience="+url.QueryEscape(audience))To me, this more clearly aligns with the flag's purpose.
There was a problem hiding this comment.
We chatted about this outside of the PR - we're going to leave this as-is, since we'd like this to work transparently with the Application Default Credentials pattern where possible. Unfortunately that does mean that if a user runs gcloud auth application-default login, it would cause this flow to stop working, but it would also break anything else that was meant to use the system's service account (e.g. on a VM).
This commit adds two CLI commands to make it possible for users to do the token exchange outside of a GitHub Action. `github-app-sts-client` is a CLI command that performs a token exchange given an OIDC token (like `AWS_WEB_IDENTITY_TOKEN_FILE`) or a token source (like `gcp`, which fetches a token using Google's application default credentials pattern). `git-credential-github-app-sts` is a git credential helper that will perform a token exchange using the same arguments, but will output the token in a way that is compatible with git's credential helper protocol. In the future, we could add more token sources like doing a user-triggered OIDC flow using a local browser.
DakotaNelson
left a comment
DakotaNelson
left a comment
There was a problem hiding this comment.
rubber stamped, did not look that hard since it looks like you and simpsonw have been over it
3 participants
This commit adds two CLI commands to make it possible for users to do the token exchange outside of a GitHub Action.
github-app-sts-clientis a CLI command that performs a token exchange given an OIDC token (likeAWS_WEB_IDENTITY_TOKEN_FILE) or a token source (likegcp, which fetches a token using Google's application default credentials pattern).git-credential-github-app-stsis a git credential helper that will perform a token exchange using the same arguments, but will output the token in a way that is compatible with git's credential helper protocol.In the future, we could add more token sources like doing a user-triggered OIDC flow using a local browser.