The current workload identity federation implementation for AWS in the Google Auth Python Library is based on the EC2 metadata server.

To make workload identity federation work in ECS, we need to apply a few tweaks as shown in gcp_aws_credentials.py to customize how the AWS token and client ID are obtained.

This workaround is following the guidance from the auth library maintainers as mentioned in this comment.

In the Go implementation we use the Google externalaccount.NewTokenSource function with a custom AWS security credentials supplier. An end to end example can be found here.

Most likely you'll want to authenticate the AWS service in GCP via the task role:

principalSet://iam.googleapis.com/projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{WORKLOAD_IDENTITY_POOL_ID}/attribute.aws_role/arn:aws:sts::{AWS_PROJECT_ID}:assumed-role/{ECS_TASK_ROLE}

You could also use the individual task run ID

principal://iam.googleapis.com/projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{WORKLOAD_IDENTITY_POOL_ID}/subject/arn:aws:sts::{AWS_PROJECT_ID}:assumed-role/{ECS_TASK_ROLE}/{ECS_TASK_ID}

This code is provided as a proof of concept and is not optimized for production use.

In a production environment, consider implementing:

• Caching of access credentials: The current implementation fetches new credentials for every request. Caching credentials would significantly improve performance.
• Error handling and retries: Robust error handling and retry mechanisms are crucial for production-level reliability.
• Security best practices: Review and implement appropriate security measures for handling credentials and accessing GCP services.

This code should not be used in production without careful consideration and implementation of the above points.