{"id":18834035,"url":"https://github.com/jetstack/envoy-workload-identity","last_synced_at":"2026-01-26T03:30:19.287Z","repository":{"id":246008037,"uuid":"816316580","full_name":"jetstack/envoy-workload-identity","owner":"jetstack","description":"Example of no-code GCP Workload Identity using Envoy Proxy","archived":false,"fork":false,"pushed_at":"2024-06-24T08:29:41.000Z","size":9,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2024-12-30T07:27:20.325Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-17T13:48:16.000Z","updated_at":"2024-06-25T08:12:37.000Z","dependencies_parsed_at":"2024-06-25T10:43:16.240Z","dependency_job_id":"936aa458-9fef-4c82-bbab-6ceb1bf8d8ae","html_url":"https://github.com/jetstack/envoy-workload-identity","commit_stats":null,"previous_names":["jetstack/envoy-workload-identity"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fenvoy-workload-identity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fenvoy-workload-identity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fenvoy-workload-identity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fenvoy-workload-identity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/envoy-workload-identity/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239768930,"owners_count":19693764,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T02:06:40.852Z","updated_at":"2026-01-26T03:30:19.186Z","avatar_url":"https://github.com/jetstack.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# envoy-workload-identity\n\nThis repo contains demo/PoC scripts for showing how to use Envoy Proxy to inject a valid Authorization header into a GCP API call. There are 2 demos:\n\n1. In [local-dev](./local-dev/) Docker Compose is used to start Envoy Proxy and mock GCP Metadata servers. Curl will be used to demo calling the GCP Asset Inventory API.\n\n1. In [cloud-run](./cloud-run) GCP's Cloud Run service is used to host a simple Python web app (see [./api-client](./api-client)) with Envoy Proxy as a sidecar. There is no need for a mock Metadata service as the 'real' GCP Metadata service is available to Cloud Run service.\n\n## Local demo\n\nThis uses Docker Compose to run Envoy Proxy and a mock GCP metadata server to show how Envoy is used to get an auth token from the Metadata service and inject it as an Authorization header in the API request before its sent to the API endpoint.\n\n### Pre-requisites\n\nA GCP Project and Service Account with IAM permissions for calling the GCP Asset Inventory API (Cloud Asset Viewer role).  \nDownload the SA json key and store.  \nEnsure the GCP Asset Inventory API is enabled for this Project.  \n\nThe custom Envoy Proxy image has already been built and is stored in an accessable registry (see [this readme](./envoyproxy/README.md)).\n\n### Running\n\nExport the following env vars:\n\n- PROJECT_ID=GCP Project ID\n- SA_KEY_PATH=absolute path to the SA key.json file\n- SA_EMAIL=the SA's email, e.g. something@myproject.iam.gserviceaccount.com\n- ENVOY_IMAGE=url of the Envoy Docker image you built\n\nGenerate the config files:\n\n```bash\ncd ./local-dev\nenvsubst \u003c compose.yaml.tmpl \u003e compose.yaml\nenvsubst \u003c metadata-config.json.tmpl \u003e config.json\n```\n\nLogin to the Docker registry (if not public):\n\nGCP example (\u003chttps://cloud.google.com/artifact-registry/docs/docker/authentication\u003e):\n\n```bash\ngcloud auth login\ngcloud auth configure-docker us-west1-docker.pkg.dev,europe-west1-docker.pkg.dev\n```\n\nAnd start Docker Compose:\n\n```bash\ndocker compose up\n```\n\nNow use curl to query the Asset Inventory API:\n\n```bash\ncurl -vvv \"localhost:10000/v1/projects/$PROJECT_ID/assets?assetTypes=storage.googleapis.com/Bucket\u0026contentType=RESOURCE\"\n```\n\nYou should see a json response containing details of all the storage buckets in the project. Logging from the Envoy container is deliberately verbose - this can be removed by editing `local-envoy-demo.yaml` and removing the logging lines from the inline Lua script.\n\n## Cloud Run demo\n\n### Pre-requisites\n\nA GCP Project and Service Account with IAM permissions for calling the GCP Asset Inventory API (Cloud Asset Viewer role).  \nEnsure the GCP Asset Inventory and Cloud Run Admin APIs are enabled for this Project.  \n\nThe custom Envoy Proxy image has already been built and is stored in an accessable registry (see [this readme](./envoyproxy/README.md)).\n\nThe Python api-client app has been dockerised and the image stored in an accessable registry (see [this readme](./api-client/README.md)).\n\n### Running\n\nExport the following env vars:\n\n- PROJECT_ID = GCP Project ID\n- SA_KEY_PATH = absolute path to the SA key.json file\n- SA_EMAIL = the SA's email, e.g. something@myproject.iam.gserviceaccount.com\n- ENVOY_IMAGE = url of the Envoy Docker image you built\n- ENVOY_CONFIG_BUCKET = the name of a storage bucket for storing the Envoy Proxy config\n\nGenerate the Cloud Run service config:\n\n```bash\ncd ./cloud-run\nenvsubst \u003c service.yaml.tmpl \u003e service.yaml\n```\n\nCreate the bucket for the Envoy config and upload `cloudrun-envoy-demo.yaml` into it:\n\n```bash\ngcloud storage buckets create gs://$ENVOY_CONFIG_BUCKET --location=europe-west1 --project=$PROJECT_ID\ngcloud storage cp ./cloudrun-envoy-demo.yaml gs://$ENVOY_CONFIG_BUCKET\n```\n\nDeploy the Cloud Run service and make it publically accessable over the Internet.\n\n```bash\ngcloud run services replace service.yaml --region=europe-west1 --project=$PROJECT_ID\ngcloud run services set-iam-policy envoy-proxy-demo public-access-policy.yaml --region=europe-west1 --project=$PROJECT_ID\n```\n\nNOTE: be aware that there is no authentication configured on the Cloud Run URL, so the demo Python app is accessible anonymously over the public Internet.\n\nTo confirm the service is running and retrieve its URL:\n\n```bash\ngcloud run services describe envoy-proxy-demo --region=europe-west1 --project=$PROJECT_ID\n```\n\nLoad the URL in a browser page and select an option from the drop-down and click Submit. The Python code running in Cloud Run will forward the request on to the Envoy Proxy sidecar which will call the Metadata service to get a valid token and then inject the token.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fenvoy-workload-identity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Fenvoy-workload-identity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fenvoy-workload-identity/lists"}