No token in google.auth credentials for aws workload identity federation

371 views Asked by At

Why would the code below result in no token in returned credentials? (WIF pool with aws provider exist and service account connected to it)

from google.auth import aws

def lambda_handler(event, context):

    json_config_info = {
      "type": "external_account",
      "audience": "//iam.googleapis.com/projects/XXX/locations/global/workloadIdentityPools/awspool/providers/awsprovider",
      "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
      "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
      "token_url": "https://sts.googleapis.com/v1/token",
      "credential_source": {
        "environment_id": "aws1",
        "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
        "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
        "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
      }
    }

    credentials = aws.Credentials.from_info(json_config_info)
    print('token: ', credentials.token)
    print('valid: ', credentials.valid)

I'm getting token=None and valid=False while my understanding credentials should have a token and valid=True?

1

There are 1 answers

0
guillaume blaquiere On BEST ANSWER

You have to perform a refresh of your credential to effectively perform a request to Google Cloud. Something like this

from google.auth import aws

def lambda_handler(event, context):

    json_config_info = {
      "type": "external_account",
      "audience": "//iam.googleapis.com/projects/XXX/locations/global/workloadIdentityPools/awspool/providers/awsprovider",
      "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
      "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
      "token_url": "https://sts.googleapis.com/v1/token",
      "credential_source": {
        "environment_id": "aws1",
        "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
        "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
        "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
      }
    }

    credentials = aws.Credentials.from_info(json_config_info)

    ### Code added
    import google.auth.transport.requests
    request = google.auth.transport.requests.Request()
    creds.refresh(request)
    ### Code end

    print('token: ', credentials.token)
    print('valid: ', credentials.valid)