Snippets demonstrating how to get an id_token for the federated identity
Assume you have GCP WIF setup for oidc as shown here
First allow the mapped principal permissions to directly impersonate a given SA:
gcloud iam service-accounts add-iam-policy-binding [email protected] \
--member='principal://iam.googleapis.com/projects/1071284184436/locations/global/workloadIdentityPools/oidc-pool-1/subject/[email protected]' \
--role='roles/iam.serviceAccountTokenCreator'in this case, federated token alice has is capable of directly getting an OIDC token for target-serviceaccount.
then if alice's original federating token is in the file /tmp/oidccred.txt and your the ADC config is:
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/1071284184436/locations/global/workloadIdentityPools/oidc-pool-1/providers/oidc-provider-1",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/tmp/oidccred.txt"
}
}enable ADC env var (GOOGLE_APPLICATION_CREDENTIALS=/path/to/sts-creds.json)
Then directly use the IAM API: