feat: allow Workload Identity Federation for Google connector#2
Open
feat: allow Workload Identity Federation for Google connector#2
Conversation
midu-git
force-pushed
the
CLOUD-1304
branch
3 times, most recently
from
3a5dfa3 to
3a25deb
Compare
astropanic
approved these changes
Jun 4, 2025
midu-git
force-pushed
the
CLOUD-1304
branch
4 times, most recently
from
b6b991d to
8a52fa5
Compare
A new Google connector option, `useCloudIdentityApi`, has been introduced. If the value is `true`, dex will use cloud identity api to fetch groups. In particular, no user impersonation happens. The logic to obtain the credentials is based on Application Default Credentials. Alternatively, the user is allowed to pass a path to a credentials JSON file using `serviceAccountFilePath`. In both cases, the principal described linked to the credentials requires group read rights. In case of a Service Account, a custom admin role with this right need to be created in Google Workspace, and the Service Account needs to be assigned to this role. Moreover, Workload Identity Federation is supported as Application Default Credentials supports this use case. Make sure to include `Service Account Token Creator` for the linked service account in that case. Signed-off-by: Michael Dudzinski <michael.dudzinski@aetherize.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A new Google connector option,
useCloudIdentityApi, has been introduced.If the value is
true, dex will use cloud identity api to fetchgroups. In particular, no user impersonation happens. The logic to
obtain the credentials is based on Application Default Credentials.
Alternatively, the user is allowed to pass a path to a credentials JSON
file using
serviceAccountFilePath. In both cases, the principaldescribed linked to the credentials requires group read rights. In case
of a Service Account, a custom admin role with this right need to be
created in Google Workspace, and the Service Account needs to be
assigned to this role.
Moreover, Workload Identity Federation is supported as Application Default
Credentials supports this use case. Make sure to include
Service Account Token Creatorfor the linked service account in thatcase.
Overview
What this PR does / why we need it
Until now, user impersonation was required to fetch groups for a certain user. In this PR, the user is allowed to opt-in for using cloud identity api which doesn't require user impersonation. Moreover, as Application Default Credentials are being used, Workload Identity Federation is supported with this PR, allowing interactions with Google Services from external sources, e.g. AWS, without requiring to provide any sensitive credential data on the caller side, c.f. here.
Special notes for your reviewer
Does this PR introduce a user-facing change?