Add additional authentication for Google Cloud Operators #35899
Description
Description
Currently, the only way to authenticate with Google Cloud operators is through defining a file path to the Google Cloud Credentials. This is not always a safe option, and credentials can be acquired in different ways through the Workload Federated Identity service in Google Cloud Platform.
This can be done in the following:
- Request a token from your external service (defined in your Federated Identity)
- Provide the following items as the payload to this api endpoint: https://sts.googleapis.com/v1/token
- subject_token: the token from the previous request
- grant_type: "urn:ietf:params:oauth:grant-type:token-exchange"
- requested_token_type: "urn:ietf:params:oauth:token-type:access_token"
- scope: "https://www.googleapis.com/auth/cloud-platform"
- subject_token_type: "urn:ietf:params:oauth:token-type:jwt"
- Provide the following items to this api endpoint: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/:generateAccessToken
- Headers: use the token from the previous request in the "Authorization" section
- Payload:
- scope: ["https://www.googleapis.com/auth/cloud-platform"]
- Use the token from the last request as the authentication.
Use case/motivation
I would like to be able to authenticate the Google Cloud operators through the Workload Federated Identity instead of providing the file path to credentials. This would help me to be able to use Airflow's native Google Cloud operators instead of making custom operators.
Related issues
No response
Are you willing to submit a PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct