I want to use workload identity federation provided by GCP. I was able to download the client-credentials file and was able to access the resource from EC2 instance.
But that file
"credential_source": {
"environment_id": "aws1",
"region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
"imdsv2_session_token_url": "http://169.254.169.254/latest/api/token",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
"regional_cred_verification_url": "https://sts.{region}.amazonaws?Action=GetCallerIdentity&Version=2011-06-15"
}
tries to access 169.254.169.254 for IMDS. This url is not accesible from EKS pods running on fargate for security reasons.
How should I proceeed?
I want to use workload identity federation provided by GCP. I was able to download the client-credentials file and was able to access the resource from EC2 instance.
But that file
"credential_source": {
"environment_id": "aws1",
"region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
"imdsv2_session_token_url": "http://169.254.169.254/latest/api/token",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
"regional_cred_verification_url": "https://sts.{region}.amazonaws?Action=GetCallerIdentity&Version=2011-06-15"
}
tries to access 169.254.169.254 for IMDS. This url is not accesible from EKS pods running on fargate for security reasons.
How should I proceeed?
Share Improve this question asked Mar 25 at 14:50 Nimish AgrawalNimish Agrawal 5711 gold badge5 silver badges13 bronze badges1 Answer
Reset to default 0GCP needs some AWS credentials (signed) to verify any request.
Default behaviour of GCP SDK fetches these credentials from 169.254.169.254 (IMDSv2) which is generally accessible from EC2, EKS (with EC2).
Since IMDSv2 (169.254.169.254) is not accessible from fargate, thus to fetch access_key, secret, session_token we can use awscli/boto3 and pass that info to GCP SDK
This is the credentials file downloaded from GCP console. I have removed credential_source from it which by default points to IMDSv2.
{
"universe_domain": "googleapis",
"type": "external_account",
"audience": "<AUD>",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"service_account_impersonation_url": "<IMP>",
"token_url": "https://sts.googleapis/v1/token"
}
We will pass a custom credential source.
Custom Source
from google.auth.aws import AwsSecurityCredentialsSupplier, AwsSecurityCredentials
class Boto3AwsSecurityCredentialsSupplier(AwsSecurityCredentialsSupplier):
def __init__(self):
session = boto3.Session()
self.credentials = session.get_credentials()
self.region = session.region_name or os.environ.get('AWS_REGION', 'us-west-1')
def get_aws_security_credentials(self, context, request):
return AwsSecurityCredentials(
self.credentials.access_key,
self.credentials.secret_key,
self.credentials.token,
)
def get_aws_region(self, context, request):
return self.region
Here is the usage of the source
import json
from google.auth import load_credentials_from_dict
aws_oidc_credentials_dict = json.load(open("client-cred.json"))
aws_oidc_credentials_dict["aws_security_credentials_supplier"] = Boto3AwsSecurityCredentialsSupplier()
# Load credentials from file
credentials, project_id = load_credentials_from_dict(aws_oidc_credentials_dict)
You can use the creds later
client = bigquery.Client(credentials=credentials, project=project_id)