Support ImpersonatedCredentials

[salrashid123]

Feature request to support ImpersonatedCredential sources for GCP Credentils.

Impersonated credentials on GCP exchanges a source access_token for another GCP service accounts's access_token. This mechansim is detailed here Creating short-lived service account credentials

If a grpc client wants to execute some code as another token type, it can use its curent GCP credentials to interact with the IAM API to finally derive the new token. Currently, there doesn't seem to be any easy way to use gRPC clients to automatically facilitate this

for ref,this type of identity exchange is in several other GCP apis (in general, not specific to grpc)

• google-auth-python
• google-auth-java
• google-auth-golang

Describe the solution you'd like

One possiblity is to perform an exchange explictly as a new grpc:GoogleImpersonatedCredentials here:

eg

    auto creds = grpc::GoogleDefaultCredentials();
    auto creds2 = grpc::GoogleImpersonatedCredentials(cred, "impersonated-svcaccount@iam.gserviceaccount.com");
    m_channel = grpc::CreateChannel("dialogflow.googleapis.com", creds2); 

Describe alternatives you've considered

It maybe possible to use STS credentials against GCP's STS endpoint to do this (i.,e exchange gcp_access token for another gcp_access token via STS instead of IAMCredentials api

[salrashid123]

@nicolasnoble (sorry, i'm unsure how i assigned this issue over (unless this is blunderbuss/autoassining)

[markdroth]

Jiangtao, can you please advise, or redirect as appropriate? Thanks!

[jiangtaoli2016]

@salrashid123 I think STS credentials can achieve your needs. STS credentials allow you to to config token exchange service URI to create short-lived service account credentials. Can you use STS credentials instead?

[salrashid123]

Google doen'st have an STS endpoint that will exchange tokens for impersonated ones (and no plans to though, AFAIK). It'd be really useful and consistent if the STS did this task but currently you need to utilize the specific API to impersonate GCP accounts (i.,e you have to use the iamcredentials.generateAccessToken(). Customers can run their own STS server that does this but that is a bit awkward to manage.

[jiangtaoli2016]

@salrashid123 You need ImpersonatedCredentials in c++ grpc, right? For other languages, we can use Google auth library.

I saw you have contributed to Java auth library to add ImpersonatedCredentials (googleapis/google-auth-library-java#211). If you prefer, you can make a PR to add in grpc repo. We can help review.

[salrashid123]

yep, its just in context with cpp (as you mentioned, the other languages can use google auth libraries to source in the impersonated credentials).

I would contribute code to support this but i really don't know cpp in any meaningful detail.

however, i'd be more than happy to help test and discuss/define specifications on its operations if anyone is willing todo the PR.

[stale]

This issue/PR has been automatically marked as stale because it has not had any update (including commits, comments, labels, milestones, etc) for 30 days. It will be closed automatically if no further update occurs in 7 day. Thank you for your contributions!