Secretstore creation using Workload Identity Federation in onprem cluster

[makas45]

Describe the bug
A clear and concise description of what the bug is.
we have installed the external secret operator in the anthos bare metal (onprem cluster) and trying to create secretstore using Workload Identity Federation it is not working . But If we try with service account key to authicate it. is working

Error Message which i got

Warning  InvalidProviderConfig  2s (x2 over 32s)  secret-store  failed to create GCP secretmanager client: unable to lookup workload identity: unable to get project id: Get "http://ipaddress/computeMetadata/v1/project/project-id": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

To Reproduce
Steps to reproduce the behavior:

1. provide all relevant manifests
   Not working

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: demo-secrets-store
  namespace: demo
spec:
  provider:
    gcpsm:
      auth:
        workloadIdentity:
          serviceAccountRef:
            name: demo-test
      projectID: projectid

Working

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: demo-secrets-store-sa
  namespace: demo
spec:
  provider:
    gcpsm:
      auth:
        secretRef:
          secretAccessKeySecretRef:
            name: gcp-sa-key
            key: key.json
      projectID: projectid

2. provide the Kubernetes and ESO version

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[gusfcarvalho]

hi @makas45 - your configuration isn't using WIF, it is instead using GCP native Workload Identity.

Implementation for WorkloadIdentityFederation is done. You can check the API Spec here. https://external-secrets.io/latest/api/spec/#external-secrets.io/v1.GCPSMAuth

Unfortunately, our docs do not have a guide on this specific method - but that's the one you should use.