google_cloud_auth::credentials

Module external_account

Source
Expand description

Workload Identity Federation (or External Account) credentials.

Workload identity federation allows applications running outside of Google Cloud to access Google Cloud resources without using a Service Account Key. Instead of a long-lived credential (like a service account key), you can exchange a credential from your workload’s identity provider for a short-lived Google Cloud access token. As per best practices, Workload Identity Federation is the recommended method of authentication if your workload is using an external identity provider.

Refer to Obtain short-lived tokens for Workforce Identity Federation for creating configurations that can be used with this library for loading credentials using various external toke provider sources such as file, URL, or an executable.

§Example: Creating credentials from a JSON object

let project_id = "your-gcp-project-id";
let pool_id = "your-workload-identity-pool-id";
let provider_id = "your-provider-id";

let audience = format!(
    "//iam.googleapis.com/projects/{}/locations/global/workloadIdentityPools/{}/providers/{}",
    project_id, pool_id, provider_id
);

// This is an example of a configuration for a file-sourced credential.
// The actual configuration will depend on your identity provider.
let external_account_config = serde_json::json!({
    "type": "external_account",
    "audience": audience,
    "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
    "token_url": "https://sts.googleapis.com/v1/token",
    "credential_source": {
        "file": "/path/to/your/oidc/token.jwt"
    }
});

let credentials = external_account::Builder::new(external_account_config)
    .build()
    .unwrap();
let headers = credentials.headers(Extensions::new()).await?;
println!("Headers: {headers:?}");

§Example: Creating credentials with custom retry behavior

use gax::retry_policy::{AlwaysRetry, RetryPolicyExt};
use gax::exponential_backoff::ExponentialBackoff;
let backoff = ExponentialBackoff::default();
let credentials = external_account::Builder::new(external_account_config)
    .with_retry_policy(AlwaysRetry.with_attempt_limit(3))
    .with_backoff_policy(backoff)
    .build()
    .unwrap();
let headers = credentials.headers(Extensions::new()).await?;
println!("Headers: {headers:?}");

Structs§

Builder
A builder for external account Credentials instances.
ProgrammaticBuilder
A builder for external account Credentials that uses a user provided subject token provider.