Skip to content

Instantly share code, notes, and snippets.

@salrashid123

salrashid123/diy_sts.md

Last active September 7, 2025 17:52
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save salrashid123/105b1cf7af103219bd4cdfa435046bd8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save salrashid123/105b1cf7af103219bd4cdfa435046bd8 to your computer and use it in GitHub Desktop.
Download ZIP
GCP Authentication with custom STS Server
Raw
diy_sts.md

Simple DIY STS server Google Cloud Application Default Credential

or...how to use ADC and run your own STS token broker

An STS server will exchange one token for another. This protocol is used by GCP Workload Federation.

THis example runs your own STS server with GCP where the STS server accepts a source token, validates it and the returns a gcp access_token

For more information about STS servers, see

QuickStart

If you just want to see a quick sample, use the STS Server running at https://stsserver-3kdezruzua-uc.a.run.app/token. All this STS server does is returns iamthewalrus if the provided token is iamtheeggman, thats is

echo -n iamtheeggman > /tmp/creds.txt

cat <<EOF >> /tmp/sts-creds-file.json
{
  "universe_domain": "googleapis.com",
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/fake-oidc-pool-1/providers/fake-oidc-provider-1",
  "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
  "token_url": "https://stsserver-3kdezruzua-uc.a.run.app/token",
  "credential_source": {
    "file": "/tmp/creds.txt",
    "format": {
      "type": "text"
    }
  },
  "token_info_url": "https://sts.googleapis.com/v1/introspect"
}
EOF

export GOOGLE_APPLICATION_CREDENTIALS=/tmp//sts-creds-file.json
export GOOGLE_CLOUD_PROJECT=your-project-id


$ gcloud auth application-default print-access-token
iamthewalrus

One application maybe to use the kubernetes service account token and exchange that for a GCP credentials. The STS server would run as a kubernetes Service, validate the token using its TokenReview API, the return the actual service account. For more information, see

Ofcourse if you're using kuberentes, you're better off using other mechanisms than an STS server:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment