GOOGLE_APPLICATION_CREDENTIALS: credentials type 'external_account' is not supported

[brettcurtis]

I'd like to be able to use OIDC from GitHub Actions to GCP when running inspec tests against my infrastructure. Specifically when using Kitchen-Terraform.

Detailed Description

When running kitchen verify I get the following issue:

>>>>>> Unable to read the credential file specified by GOOGLE_APPLICATION_CREDENTIALS: credentials type 'external_account' is not supported

Context

Using long-lived credentials isn't ideal.

[clintoncwolfe]

Thanks for the request - this will be handled over in inspec-gcp. Thanks!

[brettcurtis]

Should the issue be in this repo: https://github.com/googleapis/google-auth-library-ruby, I wonder?

edit googleapis/google-auth-library-ruby#354

[brettcurtis]

This has been fixed in https://github.com/googleapis/google-auth-library-ruby/releases/tag/googleauth%2Fv1.6.0 according to our Google TAMs.

What is required to get inspec using this version of googleauth - it looks like we are stuck here:

Could not find compatible versions

Because train >= 3.4.7 depends on googleauth >= 0.6.6, <= 0.14.0
  and inspec >= 5.18.14 depends on train ~> 3.10,
  inspec >= 5.18.14 requires googleauth >= 0.6.6, <= 0.14.0.

inspec/train#729

[balasubramanian-s]

We have implemented support for Workload Identity Federation authentication.
This feature is now available inspec/train#767