You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Idea: Add an auth mode for GCP that allows Cromwell to impersonate a service account and use short-lived credentials for calls to GCP.
Context: Service account impersonation is now the defacto recommendation when choosing an authentication mechanism that relies on service accounts. Some teams (such as Verily) might prefer this approach over the current option to rely on downloaded service account keys.
How it works
Users would specify an auth block in the .conf file with one of the following formats. The first specifies
Application default credentials used for source service account
{
name = "user-service-account"
scheme = "user_service_account_impersonation"
}
A specified JSON file used for source service account
{
name = "user-service-account"
scheme = "user_service_account_impersonation"
json-file= "path/to/file.json"
}
Users would then add the following option when making workflow requests:
Cromwell would use the source service account to impersonate the target service account from the workflowOptions. It would then mint and refresh access tokens from this target service account for all GCP requests.
In order for this to work, the source service account would need the IAM role roles/iam.serviceAccountTokenCreator.
If the team would prefer a smaller PR
We could change this to only ever use applicationDefaultCredentials, in which case we could remove parts of the code that are altering ServiceAccountMode
The text was updated successfully, but these errors were encountered:
PR: #7224
Idea: Add an auth mode for GCP that allows Cromwell to impersonate a service account and use short-lived credentials for calls to GCP.
Context: Service account impersonation is now the defacto recommendation when choosing an authentication mechanism that relies on service accounts. Some teams (such as Verily) might prefer this approach over the current option to rely on downloaded service account keys.
How it works
Users would specify an auth block in the .conf file with one of the following formats. The first specifies
Users would then add the following option when making workflow requests:
Cromwell would use the source service account to impersonate the target service account from the workflowOptions. It would then mint and refresh access tokens from this target service account for all GCP requests.
In order for this to work, the source service account would need the IAM role roles/iam.serviceAccountTokenCreator.
If the team would prefer a smaller PR
We could change this to only ever use applicationDefaultCredentials, in which case we could remove parts of the code that are altering ServiceAccountMode
The text was updated successfully, but these errors were encountered: