[GitHub] [arrow-rs] tustvold commented on a diff in pull request #3802: object_store: (GCP) Add support for Workload Identity Federation from AWS

[via GitHub]

tustvold commented on code in PR #3802:
URL: https://github.com/apache/arrow-rs/pull/3802#discussion_r1133078969


##########
object_store/src/gcp/credential.rs:
##########
@@ -466,33 +474,216 @@ impl ApplicationDefaultCredentialsFile {
     }
 }
 
-const DEFAULT_TOKEN_GCP_URI: &str = 
"https://accounts.google.com/o/oauth2/token";;
-
 #[async_trait]
 impl TokenProvider for ApplicationDefaultCredentials {
     async fn fetch_token(
         &self,
         client: &Client,
         retry: &RetryConfig,
     ) -> Result<TemporaryToken<String>, Error> {
-        let builder = client.request(Method::POST, DEFAULT_TOKEN_GCP_URI);
-        let builder = match self {
-            Self::AuthorizedUser {
-                client_id,
-                client_secret,
-                refresh_token,
-            } => {
-                let body = [
-                    ("grant_type", "refresh_token"),
-                    ("client_id", client_id),
-                    ("client_secret", client_secret),
-                    ("refresh_token", refresh_token),
-                ];
-                builder.form(&body)
+        match self {
+            Self::AuthorizedUser(credentials) => {
+                credentials.fetch_token(client, retry).await
+            }
+            Self::ExternalAccount(credentials) => match credentials {
+                ExternalAccountCredentials::Aws(credentials) => {
+                    credentials.fetch_token(client, retry).await
+                }
+            },
+        }
+    }
+}
+
+#[derive(serde::Deserialize, Debug)]
+struct GcpStsTokenResponse {
+    access_token: String,
+}
+
+#[derive(serde::Serialize, Debug)]
+struct GetCallerIdentityToken {
+    url: String,
+    method: String,
+    headers: Vec<GetCallerIdentityTokenHeader>,
+}
+#[derive(serde::Deserialize, serde::Serialize, Debug)]
+struct GetCallerIdentityTokenHeader {
+    key: String,
+    value: String,
+}
+
+#[derive(serde::Deserialize, Debug)]
+struct GcpGenerateAccessTokenResponse {
+    #[serde(rename = "accessToken")]
+    access_token: String,
+    #[serde(rename = "expireTime")]
+    expire_time: String,
+}
+
+const EXTERNAL_ACCOUNT_AWS_HEADERS: [&str; 5] = [
+    "authorization",
+    "host",
+    "x-amz-date",
+    "x-goog-cloud-target-resource",
+    "x-amz-security-token",
+];
+
+#[async_trait]
+impl TokenProvider for AwsExternalAccountCredentials {

Review Comment:
   I think this functionality needs to be gated on the presence of the aws 
feature?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org