https://github.com/unitvectory-labs/kubetogoogleidtoken
A Java library for obtaining Google ID tokens by leveraging Kubernetes Service Accounts with GCP Workload Identity Federation.
https://github.com/unitvectory-labs/kubetogoogleidtoken
gcp kubernetes
Last synced: 24 days ago
JSON representation
A Java library for obtaining Google ID tokens by leveraging Kubernetes Service Accounts with GCP Workload Identity Federation.
- Host: GitHub
- URL: https://github.com/unitvectory-labs/kubetogoogleidtoken
- Owner: UnitVectorY-Labs
- License: apache-2.0
- Created: 2024-11-19T02:31:43.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-03-22T16:20:59.000Z (about 1 year ago)
- Last Synced: 2025-03-22T17:26:24.842Z (about 1 year ago)
- Topics: gcp, kubernetes
- Language: Java
- Homepage:
- Size: 103 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
[](https://github.com/UnitVectorY-Labs/kubetogoogleidtoken/releases/latest) [](https://opensource.org/licenses/Apache-2.0) [](https://guide.unitvectorylabs.com/bestpractices/status/#active) [](https://central.sonatype.com/artifact/com.unitvectory/kubetogoogleidtoken) [](https://javadoc.io/doc/com.unitvectory/kubetogoogleidtoken) [](https://codecov.io/gh/UnitVectorY-Labs/kubetogoogleidtoken)
# kubetogoogleidtoken
A Java library for obtaining Google ID tokens by leveraging Kubernetes Service Accounts with GCP Workload Identity Federation.
## Getting Started
This library requires Java 17 and is available in the Maven Central Repository:
```xml
com.unitvectory
kubetogoogleidtoken
0.1.1
```
## Usage
The library provides a client that can be used to obtain Google ID tokens. The client requires the following parameters:
```java
public static void main(String[] args) {
KubeToGoogleIdTokenClient client = KubeToGoogleIdTokenClient.builder()
.k8sTokenPath("/path/to/token")
.projectNumber("000000000000")
.workloadIdentityPool("my-identity-pool")
.workloadProvider("my-provider")
.serviceAccountEmail("account@example.iam.gserviceaccount.com")
.build();
KubeToGoogleIdTokenRequest request = KubeToGoogleIdTokenRequest.builder().audience("https://example.com").build();
KubeToGoogleIdTokenResponse response = client.getIdToken(request);
System.out.println(response.getIdToken());
}
```
## Configuration
When using Kubernetes with GCP Workload Identity Federation, the following configuration format is typically used. Instead of explicitely providing the configuration attributes those can be
```java
KubeToGoogleIdTokenClient client = KubeToGoogleIdTokenClient.builder().build();
```
The path to the following JSON file can be provided with the `GOOGLE_APPLICATION_CREDENTIALS` environment variable.
```json
{
"universe_domain": "googleapis.com",
"type": "external_account",
"audience": "//iam.googleapis.com/projects/000000000000/locations/global/workloadIdentityPools/my-identity-pool/providers/my-provider",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/var/run/secrets/tokens/gcp-token",
"format": {
"type": "text"
}
},
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/account@example.iam.gserviceaccount.com:generateAccessToken"
}
```
One important note is that the `service_account_impersonation_url` is going to be set to call `:generateAccessToken` by default, but the use case here is for ID Tokens, therefore this client will automatically change that to `:generateIdToken` before making the request.
## Limitations
- Token caching is not implemented. The client will request a new token for each invocation. It is recommended to cache the token in the application.
- Custom audiences for Workload Identity Federation are not supported. The default audience pattern of `//iam.googleapis.com/projects/{PROJECT_NUMBER}/locations/global/workloadIdentityPools/{WORKLOAD_IDENTITY_POOL}/providers/{WORKLOAD_PROVIDER}` is used.