docs(iam-samples): added snippet to demo workload identity federation with aws (GoogleCloudPlatform#6933)

Sita04 · busunkim96 · web-flow · commit e6006e50db30 · 2021-10-27T00:03:27.000+05:30
* docs(samples): init add workload identity federation samples

* added test and env variables

* added comment

* updated requirements.txt to add boto3 and botocore

* docs(iam-samples): lint and header fix

* docs(iam-samples): lint fix

* Apply suggestions from code review

Co-authored-by: Bu Sun Kim &lt;8822365+busunkim96@users.noreply.github.com&gt;

* applied review suggestions

* docs(iam-samples): pass aws session credentials as env vars

Co-authored-by: Bu Sun Kim &lt;8822365+busunkim96@users.noreply.github.com&gt;
diff --git a/iam/api-client/noxfile_config.py b/iam/api-client/noxfile_config.py
@@ -38,5 +38,9 @@
 
     # A dictionary you want to inject into your test. Don't put any
     # secrets here. These values will override predefined values.
-    'envs': {},
+    'envs': {
+        # Required for workload identity federation with AWS.
+        'AWS_ACCESS_KEY_ID': 'AKIA000000000EXAMPLE',
+        'AWS_SECRET_ACCESS_KEY': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+    },
 }
diff --git a/iam/api-client/requirements.txt b/iam/api-client/requirements.txt
@@ -1,3 +1,5 @@
 google-api-python-client==2.25.0
 google-auth==2.0.0
 google-auth-httplib2==0.1.0
+boto3==1.18.48
+botocore==1.21.48
diff --git a/iam/api-client/workload_identity_federation.py b/iam/api-client/workload_identity_federation.py
@@ -0,0 +1,61 @@
+#  Copyright 2021 Google LLC
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+"""Demonstrates how to obtain short-lived credentials with identity federation."""
+import json
+import urllib
+
+import boto3
+from botocore.auth import SigV4Auth
+from botocore.awsrequest import AWSRequest
+
+
+def create_token_aws(project_id: str, pool_id: str, provider_id: str) -> None:
+    # Prepare a GetCallerIdentity request.
+    request = AWSRequest(
+        method="POST",
+        url="https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15",
+        headers={
+            "Host": "sts.amazonaws.com",
+            "x-goog-cloud-target-resource": f"//iam.googleapis.com/projects/{project_id}/locations/global/workloadIdentityPools/{pool_id}/providers/{provider_id}"
+        })
+
+    # Set the session credentials and Sign the request.
+    # get_credentials loads the required credentials as environment variables.
+    # Refer:
+    # https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html
+    SigV4Auth(boto3.Session().get_credentials(), "sts", "us-east-1").add_auth(request)
+
+    # Create token from signed request.
+    token = {
+        "url": request.url,
+        "method": request.method,
+        "headers": request.headers.items()
+    }
+    # The token lets workload identity federation verify the identity without revealing the AWS secret access key.
+    print("Token:\n%s" % json.dumps(token, indent=2, sort_keys=True))
+    print("URL encoded token:\n%s" % urllib.parse.quote(json.dumps(token)))
+
+
+def main():
+    # TODO(Developer): Replace the below credentials.
+    project_id = "my-project-id"
+    pool_id = "my-pool-id"
+    provider_id = "my-provider-id"
+
+    create_token_aws(project_id, pool_id, provider_id)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/iam/api-client/workload_identity_federation_test.py b/iam/api-client/workload_identity_federation_test.py
@@ -0,0 +1,27 @@
+#  Copyright 2021 Google LLC
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import re
+
+from _pytest.capture import CaptureFixture
+
+import workload_identity_federation
+
+
+def test_workload_identity_federation_aws(capsys: CaptureFixture) -> None:
+    import google.auth
+    credentials, project_id = google.auth.default()
+    workload_identity_federation.create_token_aws(project_id, "provider_id", "pool_id")
+    out, _ = capsys.readouterr()
+    assert re.search("URL encoded token:", out)
