Add support for Workload Identity Federation

[moricho]

Background

Currently, the auth library supports three authentication methods:

• User credentials (authorized_user)
• Service account key credentials (service_account)
• Metadata service credentials (for GCE/GKE)

However, it lacks support for Workload Identity Federation, which is Google Cloud's recommended way to access Google Cloud resources from non-Google Cloud environments (Github Actions, AWS, Azure, etc.) without using service account keys.

Proposed Changes

Add support for Workload Identity Federation by:

1. Implementing external account credentials:

   • Add support for type: "external_account" in ADC files
   • Implement STS (Security Token Service) token exchange
   • Support credential source configurations for different providers

2. Supporting some providers:

   • Generic OIDC provider
   • AWS
   • Azure

Example Configuration

{
    "type": "external_account",
    "audience": "//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID",
    "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
    "token_url":"https://sts.googleapis.com/v1/token",
    "credential_source": {
        "url": "***",
        "headers": {"Authorization":"***"},
        "format":{"type":"json","subject_token_field_name":"value"}
    },
    "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken"
}

[coryan]

However, it lacks support for Workload Identity Federation, which is Google Cloud's recommended way to access Google Cloud resources from non-Google Cloud environments (Github Actions, AWS, Azure, etc.) without using service account keys.

We are aware and it is part of our roadmap. Unfortunately, we are not at liberty of sharing timelines.