Re: [PR] NIFI-15166 - Add support for GCP Workload Identity Federation to GCPCredentialsControllerService [nifi]

Tue, 04 Nov 2025 06:49:46 -0800 


pvillard31 commented on code in PR #10485:
URL: https://github.com/apache/nifi/pull/10485#discussion_r2490814631


##########
nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java:
##########
@@ -143,13 +161,70 @@ public void migrateProperties(PropertyConfiguration 
config) {
     }
 
     private GoogleCredentials getGoogleCredentials(final ConfigurationContext 
context) throws IOException {
+        if (context.getProperty(IDENTITY_FEDERATION_TOKEN_PROVIDER).isSet()) {
+            return getFederatedGoogleCredentials(context);
+        }
+
         final ProxyConfiguration proxyConfiguration = 
ProxyConfiguration.getConfiguration(context);
         final HttpTransportFactory transportFactory = new 
ProxyAwareTransportFactory(proxyConfiguration);
         return 
credentialsProviderFactory.getGoogleCredentials(context.getProperties(), 
transportFactory);
     }
 
+    private GoogleCredentials getFederatedGoogleCredentials(final 
ConfigurationContext context) {
+        final GCPIdentityFederationTokenProvider tokenProvider = 
context.getProperty(IDENTITY_FEDERATION_TOKEN_PROVIDER)
+                .asControllerService(GCPIdentityFederationTokenProvider.class);
+        final AccessToken accessToken = tokenProvider.getAccessDetails();
+
+        if (accessToken == null || 
StringUtils.isBlank(accessToken.getAccessToken())) {
+            throw new ProcessException("Identity Federation Token Provider 
returned no access token");
+        }
+
+        final Instant fetchTime = 
Objects.requireNonNull(accessToken.getFetchTime(), "Access token fetch time 
required");
+        long expiresIn = accessToken.getExpiresIn();
+        if (expiresIn <= 0) {
+            expiresIn = 300;
+        }
+
+        final Instant expirationInstant = fetchTime.plusSeconds(expiresIn);
+        final Date expiration = Date.from(expirationInstant);
+
+        final com.google.auth.oauth2.AccessToken googleAccessToken = new 
com.google.auth.oauth2.AccessToken(accessToken.getAccessToken(), expiration);
+        return GoogleCredentials.create(googleAccessToken);

Review Comment:
   You're absolutely right, I completely overlooked the refresh of the 
exchanged token. Using IdentityPoolCredentials is definitely the right 
approach. I've made some tests and it works well. Pushing a commit with the 
changes.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to