Authentication to AWS using GCP credentials #9873
Description
ÀHello,
We can use OpenID Connect Federation in AWS Security Token Service to be able to use Google identity credentials to access AWS services.
If we obtain identity credentials using the Google metaserver, we will not have to use any long-lived authorization data. This will increase security. In case of leakage of temporary credentials, their use is limited.
This sample shows how to make authenticated calls to AWS APIs from Google Cloud
This is a sample flow:
Requirements:
- The flow shows the usage of the S3 service, but it should be possible to use any AWS service.
- The flow shows how to get a token using the metaserver, but we should also support other methods of getting ID tokens.
a) service account in connection (path/dict)
b) environment variable
c) gcloud tool credentials (service account/stored authorized user credential)
d) meta server - Tokens should be automatically refreshed in both libraries - boto and google-auth
I would also be happy if we had comprehensive documentation. Together with terraform scripts at best. This is a feature that is not described often because AWS doesn't want to describe GCP services and AWS doesn't want to describe Google services. The exact example certainly helped to understand this feature.
To implement token refresh for AWS, this article can help.
https://dev.to/li_chastina/auto-refresh-aws-tokens-using-iam-role-and-boto3-2cjf
In the case of GCP, the problem will be many methods of creating a token, but I will be happy to share the code if anyone wants to implement it.
More information:
https://github.com/shrikant0013/gcp-aws-webidentityfederation
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts.html#STS.Client.assume_role_with_web_identity
CC: @ad-m