Skip to content

Commit e6006e5

Browse files
Sita04busunkim96
andauthored
docs(iam-samples): added snippet to demo workload identity federation with aws (GoogleCloudPlatform#6933)
* docs(samples): init add workload identity federation samples * added test and env variables * added comment * updated requirements.txt to add boto3 and botocore * docs(iam-samples): lint and header fix * docs(iam-samples): lint fix * Apply suggestions from code review Co-authored-by: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> * applied review suggestions * docs(iam-samples): pass aws session credentials as env vars Co-authored-by: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com>
1 parent 2194151 commit e6006e5

File tree

4 files changed

+95
-1
lines changed

4 files changed

+95
-1
lines changed

iam/api-client/noxfile_config.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,5 +38,9 @@
3838

3939
# A dictionary you want to inject into your test. Don't put any
4040
# secrets here. These values will override predefined values.
41-
'envs': {},
41+
'envs': {
42+
# Required for workload identity federation with AWS.
43+
'AWS_ACCESS_KEY_ID': 'AKIA000000000EXAMPLE',
44+
'AWS_SECRET_ACCESS_KEY': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
45+
},
4246
}

iam/api-client/requirements.txt

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
11
google-api-python-client==2.25.0
22
google-auth==2.0.0
33
google-auth-httplib2==0.1.0
4+
boto3==1.18.48
5+
botocore==1.21.48
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
# Copyright 2021 Google LLC
2+
#
3+
# Licensed under the Apache License, Version 2.0 (the "License");
4+
# you may not use this file except in compliance with the License.
5+
# You may obtain a copy of the License at
6+
#
7+
# http://www.apache.org/licenses/LICENSE-2.0
8+
#
9+
# Unless required by applicable law or agreed to in writing, software
10+
# distributed under the License is distributed on an "AS IS" BASIS,
11+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
# See the License for the specific language governing permissions and
13+
# limitations under the License.
14+
15+
"""Demonstrates how to obtain short-lived credentials with identity federation."""
16+
import json
17+
import urllib
18+
19+
import boto3
20+
from botocore.auth import SigV4Auth
21+
from botocore.awsrequest import AWSRequest
22+
23+
24+
def create_token_aws(project_id: str, pool_id: str, provider_id: str) -> None:
25+
# Prepare a GetCallerIdentity request.
26+
request = AWSRequest(
27+
method="POST",
28+
url="https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15",
29+
headers={
30+
"Host": "sts.amazonaws.com",
31+
"x-goog-cloud-target-resource": f"//iam.googleapis.com/projects/{project_id}/locations/global/workloadIdentityPools/{pool_id}/providers/{provider_id}"
32+
})
33+
34+
# Set the session credentials and Sign the request.
35+
# get_credentials loads the required credentials as environment variables.
36+
# Refer:
37+
# https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html
38+
SigV4Auth(boto3.Session().get_credentials(), "sts", "us-east-1").add_auth(request)
39+
40+
# Create token from signed request.
41+
token = {
42+
"url": request.url,
43+
"method": request.method,
44+
"headers": request.headers.items()
45+
}
46+
# The token lets workload identity federation verify the identity without revealing the AWS secret access key.
47+
print("Token:\n%s" % json.dumps(token, indent=2, sort_keys=True))
48+
print("URL encoded token:\n%s" % urllib.parse.quote(json.dumps(token)))
49+
50+
51+
def main():
52+
# TODO(Developer): Replace the below credentials.
53+
project_id = "my-project-id"
54+
pool_id = "my-pool-id"
55+
provider_id = "my-provider-id"
56+
57+
create_token_aws(project_id, pool_id, provider_id)
58+
59+
60+
if __name__ == "__main__":
61+
main()
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Copyright 2021 Google LLC
2+
#
3+
# Licensed under the Apache License, Version 2.0 (the "License");
4+
# you may not use this file except in compliance with the License.
5+
# You may obtain a copy of the License at
6+
#
7+
# http://www.apache.org/licenses/LICENSE-2.0
8+
#
9+
# Unless required by applicable law or agreed to in writing, software
10+
# distributed under the License is distributed on an "AS IS" BASIS,
11+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
# See the License for the specific language governing permissions and
13+
# limitations under the License.
14+
15+
import re
16+
17+
from _pytest.capture import CaptureFixture
18+
19+
import workload_identity_federation
20+
21+
22+
def test_workload_identity_federation_aws(capsys: CaptureFixture) -> None:
23+
import google.auth
24+
credentials, project_id = google.auth.default()
25+
workload_identity_federation.create_token_aws(project_id, "provider_id", "pool_id")
26+
out, _ = capsys.readouterr()
27+
assert re.search("URL encoded token:", out)

0 commit comments

Comments
 (0)