AWS-GCP Workload Identity Federation authentication for EKS, EC2, Lambda, and local development
Project description
AWS-GCP Workload Identity Federation Auth
Python library for exchanging AWS credentials for GCP credentials using Workload Identity Federation. Works with EKS, EC2, Lambda, and local development.
Installation
pip install aws-gcp-wif-auth
Authentication Flow
┌─────────────────────────────────────────────────────────────────┐
│ AWS Environment (EKS/EC2/Lambda) │
│ │
│ ┌──────────────┐ │
│ │ IAM Role │ 1. Provides AWS credentials │
│ │ (Pod/EC2/ │ (Access Key, Secret, Token) │
│ │ Lambda) │ │
│ └──────┬───────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ aws_gcp_wif_auth.get_credentials() │ │
│ │ • Fetches AWS credentials via boto3 │ │
│ │ • Auto-refreshes when expired │ │
│ └──────┬───────────────────────────────────────────────────┘ │
└─────────┼───────────────────────────────────────────────────────┘
│
│ 2. Exchange AWS credentials for GCP token
▼
┌─────────────────────────────────────────────────────────────────┐
│ GCP Workload Identity Federation │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ STS Token Exchange (sts.googleapis.com) │ │
│ │ • Validates AWS credentials │ │
│ │ • Issues federated GCP token │ │
│ └──────┬───────────────────────────────────────────────────┘ │
│ │ │
│ │ 3. Impersonate service account │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Service Account Impersonation │ │
│ │ • Uses federated token │ │
│ │ • Returns service account credentials │ │
│ └──────┬───────────────────────────────────────────────────┘ │
└─────────┼───────────────────────────────────────────────────────┘
│
│ 4. Access GCP APIs
▼
┌─────────────────────────────────────────────────────────────────┐
│ GCP Services │
│ • Vertex AI • Cloud Storage • BigQuery │
│ • Pub/Sub • Cloud Run • Any GCP API │
└─────────────────────────────────────────────────────────────────┘
Usage
Auto-detect Environment (Recommended)
from aws_gcp_wif_auth import get_credentials
# Automatically uses WIF in AWS, ADC locally
credentials = get_credentials(
project_number="123456789",
pool_id="my-wif-pool",
provider_id="my-wif-provider",
service_account_email="my-sa@project.iam.gserviceaccount.com"
)
Explicit WIF (AWS Environments)
from aws_gcp_wif_auth import get_wif_credentials
credentials = get_wif_credentials(
project_number="123456789",
pool_id="my-wif-pool",
provider_id="my-wif-provider",
service_account_email="my-sa@project.iam.gserviceaccount.com",
aws_region="us-east-1"
)
Local Development (ADC)
from aws_gcp_wif_auth import get_adc_credentials
# Uses: gcloud auth application-default login
credentials = get_adc_credentials()
Authenticated Session
from aws_gcp_wif_auth import get_authed_session
# Get session with auto-refreshing credentials
session = get_authed_session(
project_number="123456789",
pool_id="my-wif-pool",
provider_id="my-wif-provider",
service_account_email="my-sa@project.iam.gserviceaccount.com"
)
# Make API requests
response = session.get("https://storage.googleapis.com/storage/v1/b")
Environment Detection
from aws_gcp_wif_auth import is_eks_environment
if is_eks_environment():
print("Running in AWS (EKS/EC2/Lambda)")
else:
print("Running locally")
Use with Google Cloud Libraries
from google.cloud import storage
from aws_gcp_wif_auth import get_credentials
credentials = get_credentials(
project_number="123456789",
pool_id="my-pool",
provider_id="my-provider",
service_account_email="sa@project.iam.gserviceaccount.com"
)
client = storage.Client(credentials=credentials)
buckets = list(client.list_buckets())
Supported AWS Environments
- EKS (Elastic Kubernetes Service) - IAM roles for service accounts
- EC2 - Instance profiles with IAM roles
- Lambda - Execution roles
- Local Development - Application Default Credentials (ADC)
API Reference
get_credentials()
Auto-detect environment and return appropriate credentials.
Parameters:
project_number: GCP project number (required for WIF)pool_id: Workload Identity Pool ID (required for WIF)provider_id: Workload Identity Provider ID (required for WIF)service_account_email: GCP service account email (required for WIF)aws_region: AWS region (default: "us-east-1")scopes: OAuth scopes list (default: cloud-platform)use_adc: Force ADC instead of auto-detection (default: False)
get_wif_credentials()
Explicitly use Workload Identity Federation.
get_adc_credentials()
Explicitly use Application Default Credentials.
get_authed_session()
Get authenticated session with auto-refreshing credentials.
is_eks_environment()
Check if running in AWS environment (EKS/EC2/Lambda).
Requirements
- Python 3.8+
- AWS environment with IAM role (for WIF)
- GCP Workload Identity Pool configured for AWS (for WIF)
gcloud auth application-default login(for local ADC)
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aws_gcp_wif_auth-0.2.1.tar.gz.
File metadata
- Download URL: aws_gcp_wif_auth-0.2.1.tar.gz
- Upload date:
- Size: 5.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
59961a1a6ff75c25dfebd8a10e16fb17f925167ef52144ec9829a6a36c50fe66
|
|
| MD5 |
c9cf389ce525ffbd051c18c2c9fbea44
|
|
| BLAKE2b-256 |
8dd676a27b0c5660fc8502b9ddaa6bfee873090e89032badf8d0f88d06e29eb3
|
File details
Details for the file aws_gcp_wif_auth-0.2.1-py3-none-any.whl.
File metadata
- Download URL: aws_gcp_wif_auth-0.2.1-py3-none-any.whl
- Upload date:
- Size: 5.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b61308cb9f50dc6b0d3008783ed1860abc44c3fad88964bacbbf24ef509670a8
|
|
| MD5 |
8b1132a492e1e988e5b07472f20adbbf
|
|
| BLAKE2b-256 |
09d4aafb4cbe5f538a0e5b14a92c205962ed7eb6c75b1a332506c82aa37617e4
|
