[Question] Support for AWS IRSA?

[kkocel]

I wonder if there is built-in support for IRSA in this library?
I would like to use credentials for the IRSA role to obtain GCS token.
Currently, I have to implement my own AwsSecurityCredentialsSupplier and use AWS library to retrieve IRSA credentials.

import com.google.auth.Credentials;
import com.google.auth.oauth2.AwsCredentials;
import com.google.auth.oauth2.AwsSecurityCredentials;
import com.google.auth.oauth2.AwsSecurityCredentialsSupplier;
import com.google.auth.oauth2.ExternalAccountSupplierContext;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.io.IOException;
import java.util.List;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain;

        try {
            var awsCredentialsProvider = DefaultCredentialsProvider.builder().build();
            var googleCredentials = GoogleCredentials.getApplicationDefault();

            if (googleCredentials instanceof AwsCredentials awsCredentials) {
                var credentialsWithIrsaRole =
                        AwsCredentials.newBuilder(awsCredentials)
                                .setCredentialSource(null) // cannot have credential source and credential supplier
                                .setAwsSecurityCredentialsSupplier(
                                        new IrsaAwsSecurityCredentialsSupplier(
                                                awsCredentialsProvider))
                                .build();
                scopedCredentials = credentialsWithIrsaRole.createScoped(List.of("https://www.googleapis.com/auth/devstorage.full_control"));
            } else {
                throw new IllegalStateException(
                        "Workload Identity Federation requires AWS credentials. Google credentials class: "
                                + googleCredentials.getClass().getSimpleName());
            }

            log.debug("Successfully obtained credentials with Workload Identity Federation");
        } catch (IOException exception) {
            log.error("Failed to initialize Workload Identity Federation credentials", exception);
            throw new IllegalStateException("Unable to initialize WIF credentials", exception);
        }

//...
    private record IrsaAwsSecurityCredentialsSupplier(AwsCredentialsProvider awsCredentialsProvider)
            implements AwsSecurityCredentialsSupplier {

        @Override
        public AwsSecurityCredentials getCredentials(ExternalAccountSupplierContext context) {
            var awsCredentials = awsCredentialsProvider.resolveCredentials();
            if (awsCredentials instanceof AwsSessionCredentials sessionCredentials) {
                return new AwsSecurityCredentials(
                        sessionCredentials.accessKeyId(),
                        sessionCredentials.secretAccessKey(),
                        sessionCredentials.sessionToken());
            }
            throw new IllegalStateException(
                    "Requires aws session credentials with token for irsa. AWS credentials class: "
                            + awsCredentials.getClass().getSimpleName());
        }

        @Override
        public String getRegion(ExternalAccountSupplierContext context) {
            return DefaultAwsRegionProviderChain.builder().build().getRegion().id();
        }
    }

I wonder if there is a simpler way to achieve this?

[lqiu96]

Thanks for raising this. I don't think this is something that we have planned for now. CC'ing @vverman and @lsirac if they have plans.

Marking this as a feature request for now given that the custom implementation above works.