Samrose-Ahmed opened a new issue, #258: URL: https://github.com/apache/arrow-rs-object-store/issues/258
**Is your feature request related to a problem or challenge? Please describe what you are trying to do.** <!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] (This section helps Arrow developers understand the context and *why* for this feature, in addition to the *what*) --> I am accessing GCP resources from AWS using GCP Workload Identity Federation. **Describe the solution you'd like** <!-- A clear and concise description of what you want to happen. --> Be able to access GCP resources from AWS using GCP GCP Workload Identity Federation using object_store. https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif **Describe alternatives you've considered** <!-- A clear and concise description of any alternative solutions or features you've considered. --> Is there a way to export my workload identity credentials to a form object_store can understand similar to AWS STS GetSessionToken (my knowledge of GCP is more limited)? **Additional context** <!-- Add any other context or screenshots about the feature request here. --> - Currently errors with `GCP credential error: A configuration file was passed in but was not used` at https://github.com/apache/arrow-rs/blob/master/object_store/src/gcp/credential.rs#L431 - There are different types of Application Default Credentials files other than https://github.com/apache/arrow-rs/blob/master/object_store/src/gcp/credential.rs#L405-L411, see https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif The One for workload identity federation looks like: ```json { "audience": "//iam.googleapis.com/projects/111111534588/locations/global/workloadIdentityPools/abc", "credential_source": { "environment_id": "id123", "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"; }, "service_account_impersonation": { "token_lifetime_seconds": 3600 }, "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/a...@acb123.iam.gserviceaccount.com:generateAccessToken";, "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request", "token_url": "https://sts.googleapis.com/v1/token";, "type": "external_account" } ``` - The process for exchanging credentials over REST API is documented here: https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#generate-automatic -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
