Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional authentication for Google Cloud Operators #35899

Open
1 of 2 tasks
ChloeSheasby opened this issue Nov 27, 2023 · 3 comments
Open
1 of 2 tasks

Add additional authentication for Google Cloud Operators #35899

ChloeSheasby opened this issue Nov 27, 2023 · 3 comments
Assignees
@dybolo
Labels
area:providers kind:feature Feature Requests provider:google Google (including GCP) related issues

Comments

@ChloeSheasby
Copy link
Contributor

Description

Currently, the only way to authenticate with Google Cloud operators is through defining a file path to the Google Cloud Credentials. This is not always a safe option, and credentials can be acquired in different ways through the Workload Federated Identity service in Google Cloud Platform.

This can be done in the following:

  • Request a token from your external service (defined in your Federated Identity)
  • Provide the following items as the payload to this api endpoint: https://sts.googleapis.com/v1/token
    • subject_token: the token from the previous request
    • grant_type: "urn:ietf:params:oauth:grant-type:token-exchange"
    • requested_token_type: "urn:ietf:params:oauth:token-type:access_token"
    • scope: "https://www.googleapis.com/auth/cloud-platform"
    • subject_token_type: "urn:ietf:params:oauth:token-type:jwt"
  • Provide the following items to this api endpoint: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/:generateAccessToken
    • Headers: use the token from the previous request in the "Authorization" section
    • Payload:
      • scope: ["https://www.googleapis.com/auth/cloud-platform"]
  • Use the token from the last request as the authentication.

Use case/motivation

I would like to be able to authenticate the Google Cloud operators through the Workload Federated Identity instead of providing the file path to credentials. This would help me to be able to use Airflow's native Google Cloud operators instead of making custom operators.

Related issues

No response

Are you willing to submit a PR?

  • Yes I am willing to submit a PR!

Code of Conduct
@ChloeSheasby ChloeSheasby added kind:feature Feature Requests needs-triage label for new issues that we didn't triage yet labels Nov 27, 2023
@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented Nov 27, 2023

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

@Lee-W Lee-W added provider:google Google (including GCP) related issues area:providers labels Nov 28, 2023
@josh-fell josh-fell removed the needs-triage label for new issues that we didn't triage yet label Dec 14, 2023
@dybolo
Copy link
Contributor

dybolo commented Apr 25, 2024

Hello! I would be eager to implement this feature.

@potiuk
Copy link
Member

potiuk commented Apr 25, 2024

@VladaZakharova and her team might be the right people to get feedback from on it

@dybolo dybolo mentioned this issue May 27, 2024
Merged
dybolo added a commit to dybolo/airflow that referenced this issue May 27, 2024
@dybolo @gazev
Add support for external IdP OIDC token retrieval
afdb095 
using OAuth2.0 Crient Credentials Grant for
Google Cloud Operators.

This feature enables OIDC token retrieval from
any generic Identity Provider (IdP) that uses the OAuth 2.0
Credentials Grant Flow. Additionally, it lays the groundwork
for integrating other custom OIDC token retrieval methods.

related: apache#35899

Co-authored-by: Gonçalo Azevedo <[email protected]>
dybolo added a commit to dybolo/airflow that referenced this issue Jun 9, 2024
@dybolo @gazev
Add support for external IdP OIDC token retrieval
ee193fe 
using OAuth2.0 Crient Credentials Grant for
Google Cloud Operators.

This feature enables OIDC token retrieval from
any generic Identity Provider (IdP) that uses the OAuth 2.0
Credentials Grant Flow. Additionally, it lays the groundwork
for integrating other custom OIDC token retrieval methods.

related: apache#35899

Co-authored-by: Gonçalo Azevedo <[email protected]>
potiuk pushed a commit that referenced this issue Jun 11, 2024
@dybolo @gazev
Add support for external IdP OIDC token retrieval for Google Cloud Op…
a586ea8 
…erators. (#39873)

* Add support for external IdP OIDC token retrieval
using OAuth2.0 Crient Credentials Grant for
Google Cloud Operators.

This feature enables OIDC token retrieval from
any generic Identity Provider (IdP) that uses the OAuth 2.0
Credentials Grant Flow. Additionally, it lays the groundwork
for integrating other custom OIDC token retrieval methods.

related: #35899

Co-authored-by: Gonçalo Azevedo <[email protected]>

---------

Co-authored-by: Gonçalo Azevedo <[email protected]>
@eladkal eladkal mentioned this issue Jun 22, 2024
Closed
96 tasks
romsharon98 pushed a commit to romsharon98/airflow that referenced this issue Jul 26, 2024
@dybolo @gazev @romsharon98
Add support for external IdP OIDC token retrieval for Google Cloud Op…
bf14758 
…erators. (apache#39873)

* Add support for external IdP OIDC token retrieval
using OAuth2.0 Crient Credentials Grant for
Google Cloud Operators.

This feature enables OIDC token retrieval from
any generic Identity Provider (IdP) that uses the OAuth 2.0
Credentials Grant Flow. Additionally, it lays the groundwork
for integrating other custom OIDC token retrieval methods.

related: apache#35899

Co-authored-by: Gonçalo Azevedo <[email protected]>

---------

Co-authored-by: Gonçalo Azevedo <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dybolo dybolo

Labels
area:providers kind:feature Feature Requests provider:google Google (including GCP) related issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@potiuk @Lee-W @ChloeSheasby @josh-fell @dybolo