https://github.com/mashiike/gcreds4aws

Google Cloud Credentials utility for AWS Environment
https://github.com/mashiike/gcreds4aws

Last synced: 3 months ago
JSON representation

Google Cloud Credentials utility for AWS Environment

• Host: GitHub
• URL: https://github.com/mashiike/gcreds4aws
• Owner: mashiike
• License: mit
• Created: 2024-06-27T05:59:59.000Z (11 months ago)
• Default Branch: main
• Last Pushed: 2024-09-23T20:39:52.000Z (8 months ago)
• Last Synced: 2025-03-09T16:37:23.224Z (3 months ago)
• Language: Go
• Size: 36.1 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# gcreds4aws

Google Cloud Credentials utility for AWS Environment

## Usage 

```go 

package main

import (

	"context"

	"log"

	"github.com/mashiike/gcreds4aws"

	"google.golang.org/api/option"

	"google.golang.org/api/sheets/v4"

)

func main() {

	defer gcreds4aws.Close()

	srv, err := sheets.NewService(context.Background(), gcreds4aws.WithCredentials(ctx), option.WithScopes(sheets.SpreadsheetsReadonlyScope))

	if err != nil {

		log.Fatalf("Unable to retrieve Sheets client: %v", err)

	}

	// Google Sheets API Sample

	spreadsheetId := ""

	readRange := "A1:D5"

	resp, err := srv.Spreadsheets.Values.Get(spreadsheetId, readRange).Do()

	if err != nil {

		log.Fatalf("Unable to retrieve data from sheet: %v", err)

	}

	log.Fatal(resp.Values)

}

```

### Use with AWS SSM Parameter Store

set environment variable `GOOGLE_APPLICATION_CREDENTIALS` to SSM Parameter Store ARN.

```shell

export GOOGLE_APPLICATION_CREDENTIALS="arn:aws:ssm:::parameter/"

```

Google Cloud Credentials will be fetched from the SSM Parameter Store and cache to in-memory.

### With workload identity pool, (not EC2 instance)

The credentials for using the default workload identity pool are as follows:

```json

{

  "type": "external_account",

  "audiance": "//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/",

  "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",

  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/:generateAccessToken",

  "token_url": "https://sts.googleapis.com/v1/token",

  "credential_source": {

    "environment_id": "aws1",

    "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",

    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",

    "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"

  }

}

```

However, this is designed to work on EC2 instances and will not function on Lambda or ECS. To work around this, a proxy server can be started locally to simulate the EC2 instance metadata endpoint and provide credential information.

If you want to output the access logs of the internally started HTTP server, set the logger as follows:

```go

gcred4aws.SetLogger(slog.Default())

```