From dbceefdedddd9c4bf56c51c44a5e4b53059d16ed Mon Sep 17 00:00:00 2001 From: aeitzman Date: Tue, 25 Apr 2023 13:06:54 -0700 Subject: [PATCH 1/5] feat: adding documentation for external account authorized credentials --- README.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 13539195..8776fca6 100644 --- a/README.md +++ b/README.md @@ -807,7 +807,29 @@ Where the following variables need to be substituted: `$URL_TO_GET_SAML_ASSERTION`, e.g. `Metadata-Flavor=Google`. - `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project). -### Using Executable-sourced workforce credentials with OIDC and SAML +#### Using External Account Authorized User workforce credentials + +External account authorized user credentials allow you to sign in with a web browser to an external identity provider account via the +gcloud CLI and create a configuration for the auth library to use. + +To generate an external account authorized user workforce identity configuration, run the following command: + +```bash +gcloud auth application-default login --login-config=$LOGIN_CONFIG +``` + +Where the following variable needs to be substituted: +- `$LOGIN_CONFIG`: The login config file generated with the cloud console or + [gcloud iam workforce-pools create-login-config](https://cloud.google.com/sdk/gcloud/reference/iam/workforce-pools/create-login-config) + +This will open a browser flow for you to sign in via the configured third party identity provider +and then will store the external account authorized user configuration at the well known ADC location. +The auth library will then use the provided refresh token from the configuration to generate and refresh +an access token to call Google Cloud services. + +Note that the default lifetime of the refresh token is one hour, after which a new configuration will need to be generated from the gcloud CLI. +The lifetime can be modified by changing the [session duration of the workforce pool](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools), and can be set as high as 12 hours. +#### Using Executable-sourced workforce credentials with OIDC and SAML **Executable-sourced credentials** For executable-sourced credentials, a local executable is used to retrieve the 3rd party token. From 52bd1f942cce642bd8bd07cb5c936685e6766bd7 Mon Sep 17 00:00:00 2001 From: aeitzman Date: Tue, 25 Apr 2023 13:10:30 -0700 Subject: [PATCH 2/5] fix: use readme-partials --- .readme-partials.yaml | 23 +++++++++++++++++++++++ README.md | 24 +----------------------- 2 files changed, 24 insertions(+), 23 deletions(-) diff --git a/.readme-partials.yaml b/.readme-partials.yaml index 3284dc89..7dd00380 100644 --- a/.readme-partials.yaml +++ b/.readme-partials.yaml @@ -477,6 +477,29 @@ body: |- - `$URL_TO_GET_OIDC_TOKEN`: The URL of the local server endpoint to call to retrieve the OIDC token. - `$HEADER_KEY` and `$HEADER_VALUE`: The additional header key/value pairs to pass along the GET request to `$URL_TO_GET_OIDC_TOKEN`, e.g. `Metadata-Flavor=Google`. + #### Using External Account Authorized User workforce credentials + + External account authorized user credentials allow you to sign in with a web browser to an external identity provider account via the + gcloud CLI and create a configuration for the auth library to use. + + To generate an external account authorized user workforce identity configuration, run the following command: + + ```bash + gcloud auth application-default login --login-config=$LOGIN_CONFIG + ``` + + Where the following variable needs to be substituted: + - `$LOGIN_CONFIG`: The login config file generated with the cloud console or + [gcloud iam workforce-pools create-login-config](https://cloud.google.com/sdk/gcloud/reference/iam/workforce-pools/create-login-config) + + This will open a browser flow for you to sign in via the configured third party identity provider + and then will store the external account authorized user configuration at the well known ADC location. + The auth library will then use the provided refresh token from the configuration to generate and refresh + an access token to call Google Cloud services. + + Note that the default lifetime of the refresh token is one hour, after which a new configuration will need to be generated from the gcloud CLI. + The lifetime can be modified by changing the [session duration of the workforce pool](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools), and can be set as high as 12 hours. + #### Using Executable-sourced credentials with OIDC and SAML **Executable-sourced credentials** diff --git a/README.md b/README.md index 8776fca6..13539195 100644 --- a/README.md +++ b/README.md @@ -807,29 +807,7 @@ Where the following variables need to be substituted: `$URL_TO_GET_SAML_ASSERTION`, e.g. `Metadata-Flavor=Google`. - `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project). -#### Using External Account Authorized User workforce credentials - -External account authorized user credentials allow you to sign in with a web browser to an external identity provider account via the -gcloud CLI and create a configuration for the auth library to use. - -To generate an external account authorized user workforce identity configuration, run the following command: - -```bash -gcloud auth application-default login --login-config=$LOGIN_CONFIG -``` - -Where the following variable needs to be substituted: -- `$LOGIN_CONFIG`: The login config file generated with the cloud console or - [gcloud iam workforce-pools create-login-config](https://cloud.google.com/sdk/gcloud/reference/iam/workforce-pools/create-login-config) - -This will open a browser flow for you to sign in via the configured third party identity provider -and then will store the external account authorized user configuration at the well known ADC location. -The auth library will then use the provided refresh token from the configuration to generate and refresh -an access token to call Google Cloud services. - -Note that the default lifetime of the refresh token is one hour, after which a new configuration will need to be generated from the gcloud CLI. -The lifetime can be modified by changing the [session duration of the workforce pool](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools), and can be set as high as 12 hours. -#### Using Executable-sourced workforce credentials with OIDC and SAML +### Using Executable-sourced workforce credentials with OIDC and SAML **Executable-sourced credentials** For executable-sourced credentials, a local executable is used to retrieve the 3rd party token. From 33756cfd2cc7ea0b8138a50665eb8b1ff7a927ec Mon Sep 17 00:00:00 2001 From: Owl Bot Date: Tue, 25 Apr 2023 20:13:53 +0000 Subject: [PATCH 3/5] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot=20po?= =?UTF-8?q?st-processor?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --- README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/README.md b/README.md index 13539195..9089ab3e 100644 --- a/README.md +++ b/README.md @@ -521,6 +521,29 @@ Where the following variables need to be substituted: - `$URL_TO_GET_OIDC_TOKEN`: The URL of the local server endpoint to call to retrieve the OIDC token. - `$HEADER_KEY` and `$HEADER_VALUE`: The additional header key/value pairs to pass along the GET request to `$URL_TO_GET_OIDC_TOKEN`, e.g. `Metadata-Flavor=Google`. +#### Using External Account Authorized User workforce credentials + +External account authorized user credentials allow you to sign in with a web browser to an external identity provider account via the +gcloud CLI and create a configuration for the auth library to use. + +To generate an external account authorized user workforce identity configuration, run the following command: + +```bash +gcloud auth application-default login --login-config=$LOGIN_CONFIG +``` + +Where the following variable needs to be substituted: +- `$LOGIN_CONFIG`: The login config file generated with the cloud console or + [gcloud iam workforce-pools create-login-config](https://cloud.google.com/sdk/gcloud/reference/iam/workforce-pools/create-login-config) + +This will open a browser flow for you to sign in via the configured third party identity provider +and then will store the external account authorized user configuration at the well known ADC location. +The auth library will then use the provided refresh token from the configuration to generate and refresh +an access token to call Google Cloud services. + +Note that the default lifetime of the refresh token is one hour, after which a new configuration will need to be generated from the gcloud CLI. +The lifetime can be modified by changing the [session duration of the workforce pool](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools), and can be set as high as 12 hours. + #### Using Executable-sourced credentials with OIDC and SAML **Executable-sourced credentials** From 22f85f31f72bfdc6d8591dc73d007c14da6b7ac6 Mon Sep 17 00:00:00 2001 From: aeitzman Date: Tue, 25 Apr 2023 15:08:23 -0700 Subject: [PATCH 4/5] fix: code review comments --- .readme-partials.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.readme-partials.yaml b/.readme-partials.yaml index 7dd00380..21334d0a 100644 --- a/.readme-partials.yaml +++ b/.readme-partials.yaml @@ -479,7 +479,7 @@ body: |- #### Using External Account Authorized User workforce credentials - External account authorized user credentials allow you to sign in with a web browser to an external identity provider account via the + [External account authorized user credentials](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#browser-based-sign-in) allow you to sign in with a web browser to an external identity provider account via the gcloud CLI and create a configuration for the auth library to use. To generate an external account authorized user workforce identity configuration, run the following command: From 9b8222e7d1e2c8ddede32253c1cab90291d3efe1 Mon Sep 17 00:00:00 2001 From: Owl Bot Date: Tue, 25 Apr 2023 22:12:42 +0000 Subject: [PATCH 5/5] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot=20po?= =?UTF-8?q?st-processor?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9089ab3e..0fef4af0 100644 --- a/README.md +++ b/README.md @@ -523,7 +523,7 @@ Where the following variables need to be substituted: #### Using External Account Authorized User workforce credentials -External account authorized user credentials allow you to sign in with a web browser to an external identity provider account via the +[External account authorized user credentials](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#browser-based-sign-in) allow you to sign in with a web browser to an external identity provider account via the gcloud CLI and create a configuration for the auth library to use. To generate an external account authorized user workforce identity configuration, run the following command: