When our applications needed to make authenticated requests to Google BigQuery we used JSON User Credentials which were stored in ENV vars.
DfE have moved away from JSON credentials and instead we use Azure Workload Identity Federation (WIF) in order to harden security.
We use a terraform variable enable_gcp_wif to set up specific pods with some keys. This is only enabled on the worker and secondary-worker pods.
This automatically sets two environment variables on the targetted pods which are used in the WIF process.
ENV['AZURE_CLIENT_ID']
ENV['AZURE_FEDERATED_TOKEN_FILE']
We also have a Google Cloud Application Default Credentials (GCP credentials) file which is stored as an environment variable on the pods. ENV['GOOGLE_CLOUD_CREDENTIALS_STATS'].
- Get an Azure Access Token
- Use
AZURE_CLIENT_IDandAZURE_FEDERATED_TOKEN_FILEto get an access token from the URL specified in the Google Cloud Credentials.
- Use
- Exchange the Azure Access Token for a GCP token
- Use the Azure Access Token to get a GCP token from Google Security Token Service API (STS).
- Use the GCP token to get a Service Account Impersonation token (SAI token).
- Use the SAI token to make authenticated requests to BigQuery.
The SAI token will expire in ~60 minutes. If the token is expired, a new token is requested.
Google::Cloud::Bigquery vs Google::Apis::BigqueryV2
Previously, when using the Service Account JSON Credentials we were able to use the Google::Cloud::BigQuery library. This is a higher level "modern" libarary which manages smaller details of interacting with the service. This library does not support the OAuth authentication methods we now depend on and so we need to change the BigQuery client to use the Ruby Google API client for BigQuery V2 Google::Apis::BigqueryV2.
| Description | Module/Path |
|---|---|
| Module | ./../../lib/workload_identity_federation.rb |
| Initializer | ./../../config/initializers/workload_identity_federation.rb |
| Classes | WorkloadIdentityFederation::AzureAccessToken |
WorkloadIdentityFederation::GoogleTokenExchange |
|
WorkloadIdentityFederation::GoogleAccessToken |
|
WorkloadIdentityFederation::UserCredentials |