Skip to content
/ gcreds4aws Public

Google Cloud Credentials utility for AWS Environment

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mashiike/gcreds4aws

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
.golangci.yaml
.golangci.yaml
 
 
.tagpr
.tagpr
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
gcred.go
gcred.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

gcreds4aws

Google Cloud Credentials utility for AWS Environment

Usage

package main

import (
	"context"
	"log"

	"github.com/mashiike/gcreds4aws"
	"google.golang.org/api/option"
	"google.golang.org/api/sheets/v4"
)

func main() {
	defer gcreds4aws.Close()
	srv, err := sheets.NewService(context.Background(), gcreds4aws.WithCredentials(ctx), option.WithScopes(sheets.SpreadsheetsReadonlyScope))
	if err != nil {
		log.Fatalf("Unable to retrieve Sheets client: %v", err)
	}

	// Google Sheets API Sample
	spreadsheetId := "<your spreadsheet id>"
	readRange := "A1:D5"
	resp, err := srv.Spreadsheets.Values.Get(spreadsheetId, readRange).Do()
	if err != nil {
		log.Fatalf("Unable to retrieve data from sheet: %v", err)
	}
	log.Fatal(resp.Values)
}

Use with AWS SSM Parameter Store

set environment variable GOOGLE_APPLICATION_CREDENTIALS to SSM Parameter Store ARN.

export GOOGLE_APPLICATION_CREDENTIALS="arn:aws:ssm:<region>:<account-id>:parameter/<parameter-name>"

Google Cloud Credentials will be fetched from the SSM Parameter Store and cache to in-memory.

With workload identity pool, (not EC2 instance)

The credentials for using the default workload identity pool are as follows:

{
  "type": "external_account",
  "audiance": "//iam.googleapis.com/projects/<project-number>/locations/global/workloadIdentityPools/<pool-name>/providers/<provider-name>",
  "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<service-account-email>:generateAccessToken",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "environment_id": "aws1",
    "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
    "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
  }
}

However, this is designed to work on EC2 instances and will not function on Lambda or ECS. To work around this, a proxy server can be started locally to simulate the EC2 instance metadata endpoint and provide credential information.

If you want to output the access logs of the internally started HTTP server, set the logger as follows:

gcred4aws.SetLogger(slog.Default())

About

Google Cloud Credentials utility for AWS Environment

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 3

v0.1.2 Latest
Jun 28, 2024
+ 2 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages