feat(auth): add support for headless workforce identity

[alvarowolfx]

Towards #4821

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 94.53%. Comparing base (a50ea91) to head (bb360d7).
⚠️ Report is 12 commits behind head on main.

Files with missing lines	Patch %	Lines
src/auth/src/credentials/external_account.rs	75.00%	9 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4825      +/-   ##
==========================================
- Coverage   94.61%   94.53%   -0.08%     
==========================================
  Files         208      208              
  Lines        8164     8198      +34     
==========================================
+ Hits         7724     7750      +26     
- Misses        440      448       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[alvarowolfx]

Tested following internal guide on Workforce Identity and with Access Boundaries.

code:

use google_cloud_auth::credentials::{Builder, CacheableResource};
use google_cloud_storage::client::StorageControl;
use httptest::http::Extensions;
use scoped_env::ScopedEnv;

const BUCKET_ID: &str = "REDACTED";

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    // Enable trust boundaries
    let _env = ScopedEnv::set("GOOGLE_AUTH_ENABLE_TRUST_BOUNDARIES", "true");

    println!("Building Credentials...");
    // Will use ADC with the environment variable set
    let creds = Builder::default().build()?;
    println!("Credentials built: {:?}", creds);

    for _ in 0..10 {
        let cached_headers = creds.headers(Extensions::new()).await?;
        let headers = match cached_headers {
            CacheableResource::New { data, .. } => data,
            CacheableResource::NotModified => unreachable!("should always get new headers"),
        };
        let token = headers.get("Authorization");
        println!("Token: {:?}", token);
        let locations = headers.get("x-goog-allowed-locations");
        println!("Locations: {:?}", locations);
        if locations.is_some() {
            println!("Locations found, breaking");
            break;
        }
        tokio::time::sleep(tokio::time::Duration::from_secs(5)).await;
    }

    let client = StorageControl::builder()
        .with_credentials(creds.clone())
        .build()
        .await?;
    let bucket = client
        .get_bucket()
        .set_name(format!("projects/_/buckets/{BUCKET_ID}"))
        .send()
        .await?;
    println!("successfully obtained bucket metadata {bucket:?}");

    Ok(())
}

output:

Building Credentials...
Credentials built: Credentials { inner: AccessTokenCredentials { inner: CredentialsWithAccessBoundary { credentials: ExternalAccountCredentials { token_provider: TokenCache { rx_token: Receiver { shared: Shared { value: RwLock(PhantomData<std::sync::poison::rwlock::RwLock<core::option::Option<core::result::Result<(google_cloud_auth::token::Token, google_cloud_auth::credentials::EntityTag), google_cloud_gax::error::credentials::CredentialsError>>>>, RwLock { data: None }), version: Version(0), is_closed: false, ref_count_rx: 1 }, version: Version(0) } }, quota_project_id: None }, access_boundary: AccessBoundary { rx_header: Receiver { shared: Shared { value: RwLock(PhantomData<std::sync::poison::rwlock::RwLock<core::option::Option<google_cloud_auth::access_boundary::BoundaryValue>>>, RwLock { data: None }), version: Version(0), is_closed: false, ref_count_rx: 1 }, version: Version(0) } } } } }
Token: Some(Sensitive)
Locations: None
Token: Some(Sensitive)
Locations: Some("0x80000000000")
Locations found, breaking
successfully obtained bucket metadata Bucket { name: "projects/_/buckets/REDACTED", bucket_id: "wf-demo", etag: "CAI=", project: "projects/307586025878", metageneration: 2, location: "US", location_type: "multi-region", storage_class: "STANDARD", rpo: "DEFAULT", acl: [], default_object_acl: [], lifecycle: None, create_time: Some(Timestamp { seconds: 1653524454, nanos: 427000000 }), cors: [], update_time: Some(Timestamp { seconds: 1772483935, nanos: 587000000 }), default_event_based_hold: false, labels: {}, website: None, versioning: None, logging: None, owner: None, encryption: None, billing: None, retention_policy: None, iam_config: Some(IamConfig { uniform_bucket_level_access: Some(UniformBucketLevelAccess { enabled: true, lock_time: Some(Timestamp { seconds: 1661300454, nanos: 427000000 }) }), public_access_prevention: "inherited" }), satisfies_pzs: false, custom_placement_config: None, autoclass: None, hierarchical_namespace: None, soft_delete_policy: Some(SoftDeletePolicy { retention_duration: Some(Duration { seconds: 604800, nanos: 0 }), effective_time: Some(Timestamp { seconds: 1709280000, nanos: 0 }) }), object_retention: None, ip_filter: None }

[coryan]

A few ideas to improve clarity.