Workload identity federation is a new (as of April 2021) keyless authentication mechanism that allows applications running on a non-Google Cloud platform, such as AWS, to access Google Cloud resources without using a conventional service account token. This eliminates the dilemma of how to safely manage service account credential files.

This feature is still experimental in gargle and currently only supports AWS. It also requires installation of the suggested packages aws.signature and aws.ec2metadata. Workload identity federation can be used with other platforms, such as Microsoft Azure or any identity provider that supports OpenID Connect. If you would like gargle to support this token flow for additional platforms, please open an issue on GitHub and describe your use case.

credentials_external_account(
path = "",
...
)

## Arguments

scopes

A character vector of scopes to request. Pick from those listed at https://developers.google.com/identity/protocols/oauth2/scopes.

For certain token flows, the "https://www.googleapis.com/auth/userinfo.email" scope is unconditionally included. This grants permission to retrieve the email address associated with a token; gargle uses this to index cached OAuth tokens. This grants no permission to view or send email and is generally considered a low-value scope.

path

JSON containing the workload identity configuration for the external account, in one of the forms supported for the txt argument of jsonlite::fromJSON() (probably, a file path, although it could be a JSON string). The instructions for generating this configuration are given at Automatically generate credentials.

Note that external account tokens are a natural fit for use as Application Default Credentials, so consider storing the configuration file in one of the standard locations consulted for ADC, instead of providing path explicitly. See credentials_app_default() for more.

...

Additional arguments passed to all credential functions.

## Value

A WifToken() or NULL.

Other credential functions: credentials_app_default(), credentials_byo_oauth2(), credentials_gce(), credentials_service_account(), credentials_user_oauth2(), token_fetch()
if (FALSE) {