googleapis · alvarowolfx · May 19, 2025 · May 19, 2025 · May 20, 2025 · May 20, 2025
@@ -20,16 +20,22 @@ edition.workspace = true
 publish           = false
 
 [features]
-run-integration-tests = []
+run-integration-tests       = []
+run-byoid-integration-tests = []
 
 [dependencies]
 scoped-env.workspace = true
 tempfile.workspace   = true
+http.workspace       = true
+serde_json.workspace = true
+httptest.workspace   = true
 # Local dependencies
-auth          = { path = "../../../src/auth", package = "google-cloud-auth" }
-gax           = { path = "../../../src/gax", package = "google-cloud-gax" }
-language      = { path = "../../../src/generated/cloud/language/v2", package = "google-cloud-language-v2" }
-secretmanager = { path = "../../../src/generated/cloud/secretmanager/v1", package = "google-cloud-secretmanager-v1" }
+auth           = { path = "../../../src/auth", package = "google-cloud-auth" }
+gax            = { path = "../../../src/gax", package = "google-cloud-gax" }
+language       = { path = "../../../src/generated/cloud/language/v2", package = "google-cloud-language-v2" }
+secretmanager  = { path = "../../../src/generated/cloud/secretmanager/v1", package = "google-cloud-secretmanager-v1" }
+iamcredentials = { path = "../../../src/generated/iam/credentials/v1", package = "google-cloud-iam-credentials-v1" }
+bigquery       = { path = "../../../src/generated/cloud/bigquery/v2", package = "google-cloud-bigquery-v2" }
 
 [dev-dependencies]
 serial_test = { workspace = true }

@@ -11,6 +11,21 @@ env GOOGLE_CLOUD_PROJECT=rust-auth-testing \
   cargo test --features run-integration-tests -p auth-integration-tests
 ```
 
+### Workload Identity integration tests
+
+Those integration tests requires more complex set up to run, like running from
-Those integration tests requires more complex set up to run, like running from
+These tests requires more complex set up to run, like running from
-Those integration tests requires more complex set up to run, like running from
+These tests requires more complex set up to run, like running from
+an Azure/AWS VM and having Workload Identity Pools set up. For now we are only
-an Azure/AWS VM and having Workload Identity Pools set up. For now we are only
+an Azure/AWS VM and having Workload Identity Pools set up. For now, we are only
-an Azure/AWS VM and having Workload Identity Pools set up. For now we are only
+an Azure/AWS VM and having Workload Identity Pools set up. For now, we are only
+run those tests locally and under a feature (`run-byoid-integration-tests`).
+Some extra environment variables with the workload identity pool configuration
+are required to run the tests.
+
+```sh
+env GOOGLE_CLOUD_PROJECT=cloud-sdk-auth-test-project \
+env GOOGLE_WORKLOAD_IDENTITY_SERVICE_ACCOUNT=<path-to-service-account> \
+env GOOGLE_WORKLOAD_IDENTITY_OIDC_AUDIENCE=//iam.googleapis.com/projects/<PROJECT_ID>/locations/global/workloadIdentityPools/<WORKLOAD_IDENTITY_POOL_ID>/providers/<WORKLOAD_IDENTITY_PROVIDER_ID> \
+  cargo test run_workload_ --features run-integration-tests --features run-byoid-integration-tests -p auth-integration-tests
-env GOOGLE_CLOUD_PROJECT=cloud-sdk-auth-test-project \
-env GOOGLE_WORKLOAD_IDENTITY_SERVICE_ACCOUNT=<path-to-service-account> \
-env GOOGLE_WORKLOAD_IDENTITY_OIDC_AUDIENCE=//iam.googleapis.com/projects/<PROJECT_ID>/locations/global/workloadIdentityPools/<WORKLOAD_IDENTITY_POOL_ID>/providers/<WORKLOAD_IDENTITY_PROVIDER_ID> \
-  cargo test run_workload_ --features run-integration-tests --features run-byoid-integration-tests -p auth-integration-tests
+env GOOGLE_CLOUD_PROJECT=cloud-sdk-auth-test-project \
+    GOOGLE_WORKLOAD_IDENTITY_SERVICE_ACCOUNT=<path-to-service-account> \    GOOGLE_WORKLOAD_IDENTITY_OIDC_AUDIENCE=//iam.googleapis.com/projects/<PROJECT_ID>/locations/global/workloadIdentityPools/<WORKLOAD_IDENTITY_POOL_ID>/providers/<WORKLOAD_IDENTITY_PROVIDER_ID> \
+  cargo test run_workload_ --features run-integration-tests --features run-byoid-integration-tests -p auth-integration-tests
-env GOOGLE_CLOUD_PROJECT=cloud-sdk-auth-test-project \
-env GOOGLE_WORKLOAD_IDENTITY_SERVICE_ACCOUNT=<path-to-service-account> \
-env GOOGLE_WORKLOAD_IDENTITY_OIDC_AUDIENCE=//iam.googleapis.com/projects/<PROJECT_ID>/locations/global/workloadIdentityPools/<WORKLOAD_IDENTITY_POOL_ID>/providers/<WORKLOAD_IDENTITY_PROVIDER_ID> \
-  cargo test run_workload_ --features run-integration-tests --features run-byoid-integration-tests -p auth-integration-tests
+env GOOGLE_CLOUD_PROJECT=cloud-sdk-auth-test-project \
+    GOOGLE_WORKLOAD_IDENTITY_SERVICE_ACCOUNT=<path-to-service-account> \    GOOGLE_WORKLOAD_IDENTITY_OIDC_AUDIENCE=//iam.googleapis.com/projects/<PROJECT_ID>/locations/global/workloadIdentityPools/<WORKLOAD_IDENTITY_POOL_ID>/providers/<WORKLOAD_IDENTITY_PROVIDER_ID> \
+  cargo test run_workload_ --features run-integration-tests --features run-byoid-integration-tests -p auth-integration-tests
+```
+
 #### Rotating the service account key
 
 Service account keys expire after 90 days, due to our org policy.

@@ -15,12 +15,17 @@
 use auth::credentials::{
     Builder as AccessTokenCredentialBuilder,
     api_key_credentials::Builder as ApiKeyCredentialsBuilder,
+    external_account::Builder as ExternalAccountCredentialsBuilder,
 };
+use bigquery::client::DatasetService;
 use gax::error::Error;
+use httptest::{Expectation, Server, matchers::*, responders::*};
+use iamcredentials::client::IAMCredentials;
 use language::client::LanguageService;
 use language::model::Document;
 use scoped_env::ScopedEnv;
 use secretmanager::client::SecretManagerService;
+use std::collections::HashMap;
 
 pub type Result<T> = std::result::Result<T, gax::error::Error>;
 
@@ -120,3 +125,118 @@ pub async fn api_key() -> Result<()> {
 
     Ok(())
 }
+
+pub async fn workload_identity_provider_url_sourced() -> Result<()> {
+    let project = std::env::var("GOOGLE_CLOUD_PROJECT").expect("GOOGLE_CLOUD_PROJECT not set");
+    let audience = get_oidc_audience();
+    let service_account = get_byoid_service_account();
+    let service_account_data =
+        serde_json::from_value::<HashMap<String, String>>(service_account.clone())
+            .expect("failed to read service account data as map");
+    let client_email = service_account_data
+        .get("client_email")
+        .expect("missing client_email");
+
+    let id_token =
+        generate_id_token(audience.clone(), client_email.to_string(), service_account).await?;
+
+    let source_token_response_body = serde_json::json!({
+        "id_token": id_token,
+    })
+    .to_string();
+
+    let server = Server::run();
+    server.expect(
+        Expectation::matching(all_of![
+            request::method_path("GET", "/source_token"),
+            request::headers(contains(("metadata", "True",))),
+        ])
+        .respond_with(status_code(200).body(source_token_response_body)),
+    );
+
+    let contents = serde_json::json!({
+      "type": "external_account",
+      "audience": audience,
+      "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+      "token_url": "https://sts.googleapis.com/v1/token",
+      "credential_source": {
+        "url": server.url("/source_token").to_string(),
+        "headers": {
+          "Metadata": "True"
+        },
+        "format": {
+          "type": "json",
+          "subject_token_field_name": "id_token"
+        }
+      }
+    })
+    .to_string();
+
+    // Create external account with Url sourced creds
+    let creds =
+        ExternalAccountCredentialsBuilder::new(serde_json::from_str(contents.as_str()).unwrap())
+            .build()
+            .unwrap();
+
+    // Construct a BigQuery client using the credentials.
+    // Using BigQuery as it is enabled by default.
+    let client = DatasetService::builder()
+        .with_credentials(creds)
+        .build()
+        .await?;
+
+    // Make a request using the external account credentials
+    client
+        .list_datasets()
+        .set_project_id(project)
+        .send()
+        .await?;
+
+    Ok(())
+}
+
+/// Generates a Google ID token using the iamcredentials generateIdToken API.
+/// https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oidc
+async fn generate_id_token(
+    audience: String,
+    client_email: String,
+    service_account: serde_json::Value,
+) -> Result<String> {
+    let creds = AccessTokenCredentialBuilder::new(service_account.clone())
+        .with_scopes(["https://www.googleapis.com/auth/cloud-platform"])
+        .build()
+        .expect("failed to setup service account credentials for IAM");
+
+    let client = IAMCredentials::builder()
+        .with_credentials(creds)
+        .build()
+        .await
+        .expect("failed to setup IAM client");
+
+    let res = client
+        .generate_id_token()
+        .set_audience(audience)
+        .set_include_email(true)
+        .set_name(format!("projects/-/serviceAccounts/{client_email}"))
+        .send()
+        .await?;
+
+    Ok(res.token)
+}
+
+fn get_oidc_audience() -> String {
+    std::env::var("GOOGLE_WORKLOAD_IDENTITY_OIDC_AUDIENCE")
+        .expect("GOOGLE_WORKLOAD_IDENTITY_OIDC_AUDIENCE not set")
+}
+
+fn get_byoid_service_account() -> serde_json::Value {
+    let path = std::env::var("GOOGLE_WORKLOAD_IDENTITY_CREDENTIALS")
+        .expect("GOOGLE_WORKLOAD_IDENTITY_CREDENTIALS not set");
+
+    let service_account_content =
+        std::fs::read_to_string(path).expect("unable to read service account");
+    let service_account: serde_json::Value = serde_json::from_str(service_account_content.as_str())
+        .expect("unable to parse service account");
+
+    service_account
+}
@@ -26,4 +26,10 @@ mod driver {
     async fn run_api_key() -> Result<()> {
         auth_integration_tests::api_key().await
     }
+
+    #[cfg(all(test, feature = "run-byoid-integration-tests"))]
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    async fn run_workload_identity_provider_url_sourced() -> Result<()> {
+        auth_integration_tests::workload_identity_provider_url_sourced().await
+    }
 }
@@ -17,6 +17,9 @@ pub mod mds;
 pub mod service_account;
 pub mod user_account;
 
+pub mod external_account;
+pub mod external_account_sources;
+
 pub(crate) mod internal;
 
 use crate::Result;
@@ -534,6 +537,13 @@ fn build_credentials(
                     |b: service_account::Builder, s: Vec<String>| b
                         .with_access_specifier(service_account::AccessSpecifier::from_scopes(s))
                 ),
+                "external_account" => {
+                    let builder = external_account::Builder::new(json);
+                    let builder = quota_project_id
+                        .into_iter()
+                        .fold(builder, |b, qp| b.with_quota_project_id(qp));
+                    builder.build()
+                }
                 _ => Err(errors::non_retryable_from_str(format!(
                     "Invalid or unsupported credentials type found in JSON: {cred_type}"
                 ))),