Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: defines
google.auth.aws.Credentials
used for AWS workloads (#625
) This will subclass the abstract class `google.auth.external_account.Credentials` and will compute subject tokens as follows: - Retrieve AWS region from either `AWS_REGION` envvar or AWS metadata server `availability-zone`. - Check AWS credentials in environment variables: - `AWS_ACCESS_KEY_ID` - `AWS_SECRET_ACCESS_KEY` - `AWS_SESSION_TOKEN`. If not found, get from AWS metadata server `security-credentials` endpoint. - Get AWS credentials from AWS metadata server `security-credentials` endpoint. In order to retrieve this, the AWS role needs to be determined by calling `security-credentials` endpoint without any argument. Then the credentials can be retrieved via: `security-credentials/role_name` - Generate the signed request to AWS STS `GetCallerIdentity` action. - Inject `x-goog-cloud-target-resource` into reformatted header and serialize the signed request. This will be the subject-token to pass to GCP STS.
- Loading branch information