Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add workload identity federation support for ecs tasks #496

Open
jaimemasson opened this issue Nov 26, 2023 · 6 comments
Open

Add workload identity federation support for ecs tasks #496

jaimemasson opened this issue Nov 26, 2023 · 6 comments
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@jaimemasson
Copy link

would like to be able to use workload identity federation on ecs tasks like ec2 instances.

@bshaffer
Copy link
Contributor

Hello @jaimemasson! We already have support for Workload Identity Federation! Check out the README here and let us know if you run into any problems:

https://github.com/googleapis/google-auth-library-php#external-credentials-workload-identity-federation

@jaimemasson
Copy link
Author

jaimemasson commented Dec 28, 2023

@bshaffer this seems to only work for aws on ec2 instances but as far as i can tell ecs services(tasks) use different endpoints to assume a role and therefore this method as mentioned doesn't work. From what i can tell this should probably be handled with an update both on the downloaded credentials side and the library side but potentially handled just on the library side with some documentation. If i am mistaken and this works with ecs containers any guidance would be welcome.

@bshaffer bshaffer reopened this Dec 28, 2023
@bshaffer
Copy link
Contributor

I only tested on EC2 instances.

@aeitzman do you know if WIF is supported for ECS Tasks?

@jaimemasson
Copy link
Author

@bshaffer i'm pretty sure it doesn't support ecs as ec2 uses a static endpoint to retrieve cred metadata, whereas ecs tasks have a variable cred metadata endpoint set in an ENV variable

@bshaffer bshaffer added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Jun 6, 2024
@bshaffer
Copy link
Contributor

bshaffer commented Jun 6, 2024

@jaimemasson I'll get in touch with our team and see what we can do. I am also open to merging a PR if you feel like submitting support for this feature!

@bshaffer
Copy link
Contributor

@jaimemasson So the response here is that we don't currently support WIF for ECS Tasks natively in any of the googlea auth libraries. We did add support recently in some of the libraries for users to inject their own logic to retrieve AWS security credentials, but there's no native support in the "external account credentials file" as of yet. Its in the backlog to add eventually, but no timeline right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Development

No branches or pull requests

2 participants