-
Notifications
You must be signed in to change notification settings - Fork 10.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ImpersonatedCredentials #24636
Comments
@nicolasnoble (sorry, i'm unsure how i assigned this issue over (unless this is blunderbuss/autoassining) |
Jiangtao, can you please advise, or redirect as appropriate? Thanks! |
@salrashid123 I think STS credentials can achieve your needs. STS credentials allow you to to config token exchange service URI to create short-lived service account credentials. Can you use STS credentials instead? |
Google doen'st have an STS endpoint that will exchange tokens for impersonated ones (and no plans to though, AFAIK). It'd be really useful and consistent if the STS did this task but currently you need to utilize the specific API to impersonate GCP accounts (i.,e you have to use the |
@salrashid123 You need ImpersonatedCredentials in c++ grpc, right? For other languages, we can use Google auth library. I saw you have contributed to Java auth library to add ImpersonatedCredentials (googleapis/google-auth-library-java#211). If you prefer, you can make a PR to add in grpc repo. We can help review. |
yep, its just in context with cpp (as you mentioned, the other languages can use google auth libraries to source in the impersonated credentials). I would contribute code to support this but i really don't know cpp in any meaningful detail. however, i'd be more than happy to help test and discuss/define specifications on its operations if anyone is willing todo the PR. |
This issue/PR has been automatically marked as stale because it has not had any update (including commits, comments, labels, milestones, etc) for 30 days. It will be closed automatically if no further update occurs in 7 day. Thank you for your contributions! |
Feature request to support
ImpersonatedCredential
sources for GCP Credentils.Impersonated credentials on GCP exchanges a source
access_token
for another GCP service accounts's access_token. This mechansim is detailed here Creating short-lived service account credentialsIf a grpc client wants to execute some code as another token type, it can use its curent GCP credentials to interact with the IAM API to finally derive the new token. Currently, there doesn't seem to be any easy way to use gRPC clients to automatically facilitate this
for ref,this type of identity exchange is in several other GCP apis (in general, not specific to grpc)
Describe the solution you'd like
One possiblity is to perform an exchange explictly as a new
grpc:GoogleImpersonatedCredentials
here:eg
Describe alternatives you've considered
It maybe possible to use STS credentials against GCP's STS endpoint to do this (i.,e exchange gcp_access token for another gcp_access token via STS instead of IAMCredentials api
The text was updated successfully, but these errors were encountered: