credentials_external_account: Get a token for an external account
In gargle: Utilities for Working with Google APIs
View source: R/credentials_external_account.R
credentials_external_account R Documentation
Get a token for an external account
Description
![[Experimental]](../help/figures/lifecycle-experimental.svg)
Workload identity federation is a new (as of April 2021) keyless
authentication mechanism that allows applications running on a non-Google
Cloud platform, such as AWS, to access Google Cloud resources without using a
conventional service account token. This eliminates the dilemma of how to
safely manage service account credential files.
Unlike service accounts, the configuration file for workload identity
federation contains no secrets. Instead, it holds non-sensitive metadata.
The external application obtains the needed sensitive data "on-the-fly" from
the running instance. The combined data is then used to obtain a so-called
subject token from the external identity provider, such as AWS. This is then
sent to Google's Security Token Service API, in exchange for a very
short-lived federated access token. Finally, the federated access token is
sent to Google's Service Account Credentials API, in exchange for a
short-lived GCP access token. This access token allows the external
application to impersonate a service account and inherit the permissions of
the service account to access GCP resources.
This feature is still experimental in gargle and currently only supports
AWS. It also requires installation of the suggested packages
aws.signature and aws.ec2metadata. Workload identity federation
can be used with other platforms, such as Microsoft Azure or any
identity provider that supports OpenID Connect. If you would like gargle to
support this token flow for additional platforms, please open an issue on GitHub and describe your use case.
Usage
credentials_external_account(
scopes = "https://www.googleapis.com/auth/cloud-platform",
path = "",
...
)
Arguments
scopes
A character vector of scopes to request. Pick from those listed
at https://developers.google.com/identity/protocols/oauth2/scopes.
For certain token flows, the
"https://www.googleapis.com/auth/userinfo.email" scope is unconditionally
included. This grants permission to retrieve the email address associated
with a token; gargle uses this to index cached OAuth tokens. This grants no
permission to view or send email and is generally considered a low-value
scope.
path
JSON containing the workload identity configuration for the
external account, in one of the forms supported for the txt argument of
jsonlite::fromJSON() (probably, a file path, although it could be a JSON
string). The instructions for generating this configuration are given at
Configuring workload identity federation.
Note that external account tokens are a natural fit for use as Application
Default Credentials, so consider storing the configuration file in one of
the standard locations consulted for ADC, instead of providing path
explicitly. See credentials_app_default() for more.
...
Additional arguments passed to all credential functions.
Value
A WifToken() or NULL.
See Also
There is substantial setup necessary, both on the GCP and AWS side,
to use this authentication method. These two links provide, respectively,
a high-level overview and step-by-step instructions.
Other credential functions:
credentials_app_default(),
credentials_byo_oauth2(),
credentials_gce(),
credentials_service_account(),
credentials_user_oauth2(),
token_fetch()
Examples
## Not run:
credentials_external_account()
## End(Not run)
gargle documentation built on July 26, 2023, 5:29 p.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
View source: R/credentials_external_account.R
| credentials_external_account | R Documentation |
Get a token for an external account
Description
Workload identity federation is a new (as of April 2021) keyless
authentication mechanism that allows applications running on a non-Google
Cloud platform, such as AWS, to access Google Cloud resources without using a
conventional service account token. This eliminates the dilemma of how to
safely manage service account credential files.
Unlike service accounts, the configuration file for workload identity federation contains no secrets. Instead, it holds non-sensitive metadata. The external application obtains the needed sensitive data "on-the-fly" from the running instance. The combined data is then used to obtain a so-called subject token from the external identity provider, such as AWS. This is then sent to Google's Security Token Service API, in exchange for a very short-lived federated access token. Finally, the federated access token is sent to Google's Service Account Credentials API, in exchange for a short-lived GCP access token. This access token allows the external application to impersonate a service account and inherit the permissions of the service account to access GCP resources.
This feature is still experimental in gargle and currently only supports AWS. It also requires installation of the suggested packages aws.signature and aws.ec2metadata. Workload identity federation can be used with other platforms, such as Microsoft Azure or any identity provider that supports OpenID Connect. If you would like gargle to support this token flow for additional platforms, please open an issue on GitHub and describe your use case.
Usage
credentials_external_account(
scopes = "https://www.googleapis.com/auth/cloud-platform",
path = "",
...
)
Arguments
scopes |
A character vector of scopes to request. Pick from those listed at https://developers.google.com/identity/protocols/oauth2/scopes. For certain token flows, the
|
path |
JSON containing the workload identity configuration for the
external account, in one of the forms supported for the Note that external account tokens are a natural fit for use as Application
Default Credentials, so consider storing the configuration file in one of
the standard locations consulted for ADC, instead of providing |
... |
Additional arguments passed to all credential functions. |
Value
A WifToken() or NULL.
See Also
There is substantial setup necessary, both on the GCP and AWS side, to use this authentication method. These two links provide, respectively, a high-level overview and step-by-step instructions.
Other credential functions:
credentials_app_default(),
credentials_byo_oauth2(),
credentials_gce(),
credentials_service_account(),
credentials_user_oauth2(),
token_fetch()
Examples
## Not run:
credentials_external_account()
## End(Not run)
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.