Why would the code below result in no token in returned credentials? (WIF pool with aws provider exist and service account connected to it)
from google.auth import aws
def lambda_handler(event, context):
json_config_info = {
"type": "external_account",
"audience": "//iam.googleapis.com/projects/XXX/locations/global/workloadIdentityPools/awspool/providers/awsprovider",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/serviceaccount@XXX.iam.gserviceaccount.com:generateAccessToken",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"environment_id": "aws1",
"region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
"regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
}
}
credentials = aws.Credentials.from_info(json_config_info)
print('token: ', credentials.token)
print('valid: ', credentials.valid)
I'm getting token=None and valid=False while my understanding credentials should have a token and valid=True?
You have to perform a refresh of your credential to effectively perform a request to Google Cloud. Something like this
from google.auth import aws
def lambda_handler(event, context):
json_config_info = {
"type": "external_account",
"audience": "//iam.googleapis.com/projects/XXX/locations/global/workloadIdentityPools/awspool/providers/awsprovider",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/serviceaccount@XXX.iam.gserviceaccount.com:generateAccessToken",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"environment_id": "aws1",
"region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
"regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
}
}
credentials = aws.Credentials.from_info(json_config_info)
### Code added
import google.auth.transport.requests
request = google.auth.transport.requests.Request()
creds.refresh(request)
### Code end
print('token: ', credentials.token)
print('valid: ', credentials.valid)