For AWS Credentials , can we use AWSCredentialsProviderChain . This will provide the credentials if the application running on EC2, ECS, EKS ,etc or from default env variables.

[sankalpkale88]

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java

Line 272 in aa7ede1

AwsSecurityCredentials getAwsSecurityCredentials() throws IOException {

https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/AWSCredentialsProviderChain.html

[sankalpkale88]

@VisibleForTesting
AwsSecurityCredentials getAwsSecurityCredentials() throws IOException {

AWSCredentialsProvider awsCredentialsProvider = DefaultAWSCredentialsProviderChain.getInstance();
AWSCredentials awsCredentials = awsCredentialsProvider.getCredentials();
if (awsCredentials instanceof BasicSessionCredentials){
  BasicSessionCredentials basicSessionCredentials = (BasicSessionCredentials) awsCredentials;
  return new AwsSecurityCredentials(basicSessionCredentials.getAWSAccessKeyId(),
          basicSessionCredentials.getAWSSecretKey(),basicSessionCredentials.getSessionToken());
}
return new AwsSecurityCredentials(awsCredentials.getAWSAccessKeyId(), awsCredentials.getAWSSecretKey(),null);

}

[oprigan-cgi]

We have the same problem when using the lib in AWS Lambda.

AWS Lambda is using an assumed IAM Role with temporary security credentials and therefore It is not possible to create a valid subject token to be exchanged with sts.googleapis.com.

In AWSCredentials the following code exists:

  @VisibleForTesting
  AwsSecurityCredentials getAwsSecurityCredentials() throws IOException {
    // Check environment variables for credentials first.
    String accessKeyId = getEnvironmentProvider().getEnv("AWS_ACCESS_KEY_ID");
    String secretAccessKey = getEnvironmentProvider().getEnv("AWS_SECRET_ACCESS_KEY");
    String token = getEnvironmentProvider().getEnv("Token");
    if (accessKeyId != null && secretAccessKey != null) {
      return new AwsSecurityCredentials(accessKeyId, secretAccessKey, token);
    }
    ...

As @sankalpkale88 mentioned the provider chain could be a possible solution.

On the other hand the environment variable for the session token in an AWS environment is named "AWS_SESSION_TOKEN" and not "Token" so this could be another approach to fix the issue.

    String token = getEnvironmentProvider().getEnv("AWS_SESSION_TOKEN");

Refer to Python library google-auth-library-python where the processing of temporary security credentials is correctly implemented.

Kind regards,
Oliver

[TimurSadykov]

@oprigan-cgi Could you please confirm if this issue now resolved? Given the one of the possible solutions got implemented.

[pwalczak]

Hi team!

Is there some plan to implement this? This would allow services deployed on AWS EKS using IRSA to get successfully the GCP tokens using WIF.

Thanks!
Piotrek

[TimurSadykov]

@pwalczak please clarify what exactly are you referring to? The AWSCredentialsProviderChain or something else? The original issue got mitigated by a related fix: #723

[pwalczak]

Hi @TimurSadykov. Yes, the AWSCredentialsProviderChain. Especially if there are any plans to enhance AwsCredentials class to support reading AWS credentials using WebIdentityTokenFileCredentialsProvider method.

I am having a use case that I have my service deployed on AWS EKS cluster which uses IRSA mechanism. Metadata service access is blocked. With the usage of AWSCredentialsProviderChain (especially WebIdentityTokenFileCredentialsProvider) I can get my AWS credentials using the AWS SDK, however the AWSCredentials class from the google-auth-library does not support this method of retrieving credentials. The AWSCredentials class (especially

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java

Line 301 in 577e9a5

AwsSecurityCredentials getAwsSecurityCredentials(Map<String, Object> metadataRequestHeaders)

) only scans the environment variables and if nothing is found it jumps to metadata service.

[sankalpkale88]

Hi @TimurSadykov , Any update on this ?

[TimurSadykov]

@lsirac could you please comment?

[lsirac]

We're aware of the gaps and will update when we add support for this.

[michalstefanext]

Hi @TimurSadykov @Isirac, do you have at least some rough ETA, when this could be introduced please?

[TimurSadykov]

@michalstefanext hopefully sometime next week

[lsirac]

@michalstefanext hopefully sometime next week

Timur means next half :)

[aeitzman]

Added support for using a custom implementation to supply AWS security credentials in #1336, released in v1.23.0.