ID token with workload identity federation

[jalbinge]

Hello togehter,

I want to access an GCP Cloud Endpoint with workload identity federation from AWS. I have a generated impersonated key file and your first example with list buckets worked well.

For Cloud endpoints and gRPC there is the need to use GOOGLE_ID_TOKEN instead of ACCESS_TOKENS.

My code looks like this. I used the getIdTokenClient function.

`

async function main() {
const url = "https://my-cloud-endpoint-url-endpoint-pimf6a67fa-ew.a.run.app/v1/status"

const auth = new GoogleAuth({
    keyFile: process.env.GOOGLE_APPLICATION_CREDENTIALS,
    scopes: 'https://www.googleapis.com/auth/cloud-platform',
    projectId: 'my-project',
});
const targetAudience = "this-is-my-target-audience"
const client = await auth.getIdTokenClient(targetAudience);

const res = await client.request({ url });
console.log(res.data); }

`

The error message is:

Error: Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to a service account credentials JSON file. at GoogleAuth.getIdTokenClient

The problem is that I have an access token. In my case I need an ID Token. I was wondering if there is a possibility to get an ID Token before I request my endpoint.

( It works in python: Python google.auth has an impersonated_credentials object with an ID Token functionality.

creds = impersonated_credentials.IDTokenCredentials( target_creds, target_audience=audience, include_email=True )

Anyway, I need a solution for nodeJs.

Thanks

[bcoe]

@jalbinge the person who implemented this feature is currently away for a few days, I'll loop them in regarding your question as soon as they're back.

[sagar86kc]

Is there any workaround for this? I'm also facing same error.

[bcoe]

@bojeil-google any thoughts on this one, or is there someone we can point folks towards?

[bcoe]

@xil222 could you help out with this one? Is this a known limitation of the current workload identity implementation?

[jalbinge]

Hey there,
be aware that I am not very familiar with nodeJs, but here is an example code which worked for me:

// Make a request to a protected Cloud Run service.
const {GoogleAuth} = require('google-auth-library');
const https = require('https')
const axios = require('axios');
async function getGcpIdToken(access_token) {
    const data = JSON.stringify(
        {
            "audience": "https://your-audience-endpoint-pimf6a67fa-ew.a.run.app",
            "includeEmail": "true"
        }
    )
   return await axios({
            method: 'post',
            url: 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/account-id.iam.gserviceaccount.com:generateIdToken',
            data: data,
            headers: {
                'Content-Type': 'application/json',
                'Content-Length': data.length,
                'Authorization': `Bearer ${access_token}`
            }
        }) .then( (result) => {
        return result.data.token;
    });
}
async function getStatus(id_token){
    axios({
            method: 'get',
            url: 'https://your-endpoint-url',
            headers: {
                'Content-Type': 'application/json',
                'Authorization': `Bearer ${id_token}`
            }
        }
    ) .then( (result) => {
        console.log(result)
        return result;
    });
}
async function main() {
    const url = "https://your-endpoint-url"
    const auth = new GoogleAuth(
        { scopes: 'https://www.googleapis.com/auth/cloud-platform' }
    )
    const client = await auth.getClient();
    const access_token = (await client.getAccessToken()).token
    getGcpIdToken(access_token).then((id_token)=>getStatus(id_token))
}
main().catch(console.error);