feat(gcp): add support for external_account_authorized_user credentials #535
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds support for the external_account_authorized_user credential type used by Google Cloud Workforce Identity Federation. This credential format is created when users authenticate with `gcloud auth application-default login` using workforce identity pools with external identity providers. Previously, object_store only supported service_account and authorized_user credential types, causing deserialization failures when ADC files contained external_account_authorized_user credentials. Changes: - Added ExternalAccountAuthorizedUser variant to ApplicationDefaultCredentials enum - Implemented ExternalAccountAuthorizedUserCredentials struct with OAuth2 fields - Implemented TokenProvider trait using custom STS token endpoint - Added conversion to AuthorizedUserCredentials for signing operations - Updated builder.rs to handle new credential type in selection logic The implementation uses the STS (Security Token Service) OAuth token endpoint specified in the credential file for token refresh, following the same pattern as standard authorized_user credentials but with configurable token_url. Tests added: - Unit tests for JSON deserialization (full and minimal formats) - Unit test for credential type conversion - Builder test with sample credentials - Integration test for end-to-end API operations - Manual test with real ADC credentials (#[ignore]) This enables users in enterprise environments with Workforce Identity Federation to use object_store without workarounds, matching the behavior of official Google Cloud client libraries.
alamb
reviewed
Nov 25, 2025
|
|
||
| #[test] | ||
| #[ignore] // Only run manually when testing with real ADC | ||
| fn gcs_test_real_external_account_authorized_user_adc() { |
Contributor
There was a problem hiding this comment.
this test seems more like an example -- I wonder if it would be better as an example (or a no-run doc test)
| async fn gcs_test_external_account_authorized_user_integration() { | ||
| maybe_skip_integration!(); | ||
|
|
||
| // This test verifies that external_account_authorized_user credentials |
Contributor
There was a problem hiding this comment.
I don't understand how this test is verifying external_account_authorized_user -- it doesn't seem to configure such credentials 🤔
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for
external_account_authorized_usercredentials used by Google Cloud Workforce Identity Federation. This credential type is created when users authenticate withgcloud auth application-default loginusing workforce identity pools with external identity providers.Problem
Previously,
object_storeonly supported two Application Default Credential types:service_accountauthorized_userUsers with Workforce Identity Federation encountered deserialization errors when their ADC file contained
external_account_authorized_usercredentials, preventing them from using the library even though they had valid Google Cloud authentication.This affected enterprise environments where organizations use external identity providers (like Azure AD, Okta, etc.) to authenticate users to Google Cloud resources.
Solution
This PR extends credential support to include the
external_account_authorized_usertype:The implementation follows the same OAuth2 refresh flow as standard
authorized_usercredentials, but uses the customtoken_urlendpoint (typicallyhttps://sts.googleapis.com/v1/oauthtoken) specified in the credential file.Changes
Files Modified:
src/gcp/credential.rs: Added ExternalAccountAuthorizedUserCredentials struct, enum variant, and TokenProvider implementationsrc/gcp/builder.rs: Updated credential selection logic to handle new typesrc/gcp/mod.rs: Added integration testLines Changed: +314 additions across 3 files
Testing
Unit Tests
Integration Tests
Test Results:
All existing tests continue to pass with no regressions.
Credential Format Example
{ "type": "external_account_authorized_user", "audience": "//iam.googleapis.com/locations/global/workforcePools/pool/providers/provider", "client_id": "xxxxx.apps.googleusercontent.com", "client_secret": "secret", "refresh_token": "token", "token_url": "https://sts.googleapis.com/v1/oauthtoken", "token_info_url": "https://sts.googleapis.com/v1/introspect", "quota_project_id": "project-id" }Impact
This change enables users in enterprise environments with Workforce Identity Federation to use
object_storewith their standard ADC configuration, matching the behavior of official Google Cloud client libraries (Python, Java, Go, etc.).References