PBM-1504 Add support for Workload Identity Authentication #1021
Conversation
|
|
| } | ||
| providers = append(providers, &credentials.StaticProvider{Value: credentials.Value{ | ||
| AccessKeyID: "GCP_OAUTH_TOKEN", | ||
| SecretAccessKey: "GCP_OATH_TOKEN", |
There was a problem hiding this comment.
is GCP_OATH_TOKEN a typo?
There was a problem hiding this comment.
Sorry for the delay, no not a typo, the fields are mandatory but they're just set to placeholder values here since they're not used for GCS.
Co-authored-by: Ege Güneş <[email protected]>
| Timeout: 100 * time.Millisecond, | ||
| } | ||
|
|
||
| req, err := http.NewRequest("GET", "http://169.254.169.254/computeMetadata/v1/", nil) |
There was a problem hiding this comment.
shouldn't "http://metadata.google.internal" be used instead of the hardcoded IP?
radoslawszulgo
changed the title
|
Any status updates here? Would be a nice addition to not have to keep long-lived credentials within our GKE cluster. |
|
Hi @terryyanko, |
Hey @davidswimbird, it's nice that you are showing interest for this feature and agree, we'll try to add it as part of PBM's next release. |
7 participants
Related to: percona/roadmap#26
For workloads running on GCE, fetch the service account token from the metadata server to allow for access to GCP services without explicit keys.
Tested successfully with local mongo and GCE metadata server emulator