Skip to content

Refactor IDToken source for compute_engine #362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Refactor IDToken source for compute_engine #362

wants to merge 2 commits into from

Conversation

salrashid123
Copy link
Contributor

Fixes #344

and as a continuation of #347

_ do not merge_

This PR alters the internal behavior of how an IDToken is acquired through compute_engine credentials. Previously, an idtoken was acquired through (basically) the IAM api and impersonation. This credential type shoudl get the id_token from the metadata server. This change alters the source of the token but keeps the IAM signer capability for now.

The token format returned by metadata may include additional fields but in its defaults, is in the same IDToken format provided by the existing IAM credentials signer mechanism. This pr basically ignores one of the exiting parameters provided, additioal_claims=, since that would not work anyway with any credential type.

@googlebot googlebot added the cla: yes This human has signed the Contributor License Agreement. label Aug 10, 2019
This was referenced Aug 12, 2019
Closed
Closed
Closed
@salrashid123
Copy link
Contributor Author

Any thought about this proposed change?

the impact as i see it shouldn't be much. Existing users on compute would've had to enable the IAM api, grant impersonation and then get an id_token via signing and exchanging. The idtoken would represent the source service account from the GCE instance itself (like what w'ere doing here).

I'm leaving the Signer capability in now since people would be using it to do stuff like signURL...eventually, that shoudl also get deprecated but that'll be for later

@busunkim96 busunkim96 closed this Jul 31, 2020
@busunkim96 busunkim96 reopened this Jul 31, 2020
@parthea
Copy link
Contributor

parthea commented Aug 14, 2021

Hi @salrashid123 , I'm going to close this PR due to inactivity but please feel free to re-open it.

@parthea parthea closed this Aug 14, 2021
@salrashid123
Copy link
Contributor Author

i tink this was already implemented by some other PR
https://github.com/googleapis/google-auth-library-python/blob/master/google/auth/compute_engine/credentials.py#L216

@salrashid123 salrashid123 deleted the add-compute-id-token branch August 16, 2021 18:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

compute_engine.IDTokenCredentials should use Metadata server and not IAMCredentials API
4 participants
@salrashid123 @parthea @googlebot @busunkim96