Support for Workload Identity Federation
johnkeates opened this issue · comments
Is your feature request related to a problem? Please describe.
Instead of using hardcoded secrets to access the Google APIs, Workload Identity Federation allows for AWS IAM-based short lived credentials
Describe the solution you'd like
Using Workload Identity Federation you can use a credential configuration for the Google SDK to configure the credential source to be something else, in this use case you would use an IAM Role for the lambda (or container or local binary) which provides it with short-lived AWS credentials. Those are in turn used to collect short-lived Google credentials for a service account to access the Google directory and admin APIs.
Additional context
This seems to be supported by the libraries that are already in use as per https://pkg.go.dev/golang.org/x/oauth2/google#hdr-Credentials and instead of directly calling the google.JWTConfigFromJSON function with the provided file-based credentials, the automatic credential discovery can be used. This is similar to the credential provider chain in the AWS SDK.