Last active
September 7, 2025 17:52
-
-
Save salrashid123/105b1cf7af103219bd4cdfa435046bd8 to your computer and use it in GitHub Desktop.
Revisions
-
salrashid123 revised this gist
Nov 24, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,7 +12,7 @@ For more information about STS servers, see - [Serverless Security Token Exchange Server(STS) and gRPC STS credentials](https://github.com/salrashid123/sts_server) - [Security Token Service (STS) Credentials for HTTP and gRPC (rfc8693)](https://github.com/salrashid123/sts) - [External Account Credentials (https://google.aip.dev/auth/4117)](https://google.aip.dev/auth/4117) - [Certificate Bound Tokens using Security Token Exchange Server (STS)](https://github.com/salrashid123/cert_bound_sts_server) - [Envoy WASM and LUA filters for Certificate Bound Tokens](https://github.com/salrashid123/envoy_cert_bound_token) #### QuickStart -
Nov 24, 2024 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,6 +12,8 @@ For more information about STS servers, see - [Serverless Security Token Exchange Server(STS) and gRPC STS credentials](https://github.com/salrashid123/sts_server) - [Security Token Service (STS) Credentials for HTTP and gRPC (rfc8693)](https://github.com/salrashid123/sts) - [External Account Credentials (https://google.aip.dev/auth/4117)](https://google.aip.dev/auth/4117) - [Certificate Bound Tokens using Security Token Exchange Server (STS)(https://github.com/salrashid123/cert_bound_sts_server) - [Envoy WASM and LUA filters for Certificate Bound Tokens](https://github.com/salrashid123/envoy_cert_bound_token) #### QuickStart -
Nov 24, 2024 . 1 changed file with 11 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -73,8 +73,18 @@ iamthewalrus --- #### Using kubernetes service account token One application maybe to use the kubernetes service account token and exchange that for a GCP credentials. The STS server would run as a kubernetes Service, validate the token provided by the client using its TokenReview API, the return the actual service account. eg. 1. each client pod's workload federation read its own `/var/run/secrets/kubernetes.io/serviceaccount/token` 2. sends that token over the STS server (which may run as another kubernetes service) 3. sts server uses the tokenreview api to validate the token 4. sts server mints an `access_token` that is appropriate for that client kubernetes pod 5. retruns `access_token` to the pod 6. pod uses that to access gcp - [Kubernetes TokenReview API with Minikube](https://github.com/salrashid123/k8s_tokenreview) Ofcourse if you're using kuberentes, you're better off using other mechanisms than an STS server: -
Nov 24, 2024 . 1 changed file with 8 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -29,7 +29,15 @@ cat <<EOF >> /tmp/sts-req.json "subject_token_type": "urn:ietf:params:oauth:token-type:access_token" } EOF curl -s -H "Content-Type: application/json" -d @/tmp/sts-req.json https://stsserver-3kdezruzua-uc.a.run.app/token | jq '.' { "access_token": "iamthewalrus", "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_type": "Bearer", "expires_in": 60 } ``` then for GCP: -
Nov 24, 2024 . 1 changed file with 19 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,25 @@ For more information about STS servers, see #### QuickStart If you just want to see a quick sample, use the STS Server running at `https://stsserver-3kdezruzua-uc.a.run.app/token`. All this STS server does is returns `iamthewalrus` if the provided token is `iamtheeggman`, thats is ```bash cat <<EOF >> /tmp/sts-req.json { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "resource": "//storage.googleapis.com/projects/_/buckets/bucket_name", "audience": "//iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/fake-oidc-pool-1/providers/fake-oidc-provider-1", "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "iamtheeggman", "subject_token_type": "urn:ietf:params:oauth:token-type:access_token" } EOF curl -s -H "Content-Type: application/json" -d @/tmp/sts-req.json https://stsserver-3kdezruzua-uc.a.run.app/token ``` then for GCP: ```bash echo -n iamtheeggman > /tmp/creds.txt -
Nov 24, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,58 @@ ### Simple DIY STS server Google Cloud Application Default Credential or...how to use ADC and run your own STS token broker An STS server will exchange one token for another. This protocol is used by GCP Workload Federation. THis example runs your own STS server with GCP where the STS server accepts a source token, validates it and the returns a gcp `access_token` For more information about STS servers, see - [Serverless Security Token Exchange Server(STS) and gRPC STS credentials](https://github.com/salrashid123/sts_server) - [Security Token Service (STS) Credentials for HTTP and gRPC (rfc8693)](https://github.com/salrashid123/sts) - [External Account Credentials (https://google.aip.dev/auth/4117)](https://google.aip.dev/auth/4117) #### QuickStart If you just want to see a quick sample, use the STS Server running at [https://stsserver-3kdezruzua-uc.a.run.app/token](https://stsserver-3kdezruzua-uc.a.run.app/token). All this STS server does is returns `iamthewalrus` if the provided token is `iamtheeggman`, thats is ```bash echo -n iamtheeggman > /tmp/creds.txt cat <<EOF >> /tmp/sts-creds-file.json { "universe_domain": "googleapis.com", "type": "external_account", "audience": "//iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/fake-oidc-pool-1/providers/fake-oidc-provider-1", "subject_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_url": "https://stsserver-3kdezruzua-uc.a.run.app/token", "credential_source": { "file": "/tmp/creds.txt", "format": { "type": "text" } }, "token_info_url": "https://sts.googleapis.com/v1/introspect" } EOF export GOOGLE_APPLICATION_CREDENTIALS=/tmp//sts-creds-file.json export GOOGLE_CLOUD_PROJECT=your-project-id $ gcloud auth application-default print-access-token iamthewalrus ``` --- One application maybe to use the kubernetes service account token and exchange that for a GCP credentials. The STS server would run as a kubernetes Service, validate the token using its TokenReview API, the return the actual service account. For more information, see - [Kubernetes TokenReview API with Minikube](https://github.com/salrashid123/k8s_tokenreview) Ofcourse if you're using kuberentes, you're better off using other mechanisms than an STS server: - OIDC Federation [Using Kubernetes Service Accounts for Google Workload Identity Federation](https://github.com/salrashid123/k8s_federation_with_gcp) - MTLS Federation [GCP Workload Federation using Kubernetes SPIFFE mTLS](https://github.com/salrashid123/k8s_spiffe_mtls_federation_with_gcp) - Metadata Serivce [Istio Kubernetes GCE Metadata Proxy](https://github.com/salrashid123/istio_gce_metadata_server)