Custom Credentials now read from secrets.json as opposed to env variables.

Author: vverman

auth/README.md

@@ -60,77 +60,6 @@ information](https://developers.google.com/identity/protocols/application-defaul
 
         $ npm run test:downscoping
 
-## Custom Credential Suppliers
-
-If you want to use external credentials (like AWS or Okta) that require custom retrieval logic not supported natively by the library, you can provide a custom supplier implementation.
-
-### Custom AWS Credential Supplier
-
-This sample demonstrates how to use the AWS SDK for Node.js as a custom `AwsSecurityCredentialsSupplier` to bridge AWS credentials—from sources like EKS IRSA, ECS, or local profiles—to Google Cloud Workload Identity.
-
-#### 1. Set Environment Variables
-
-```bash
-# AWS Credentials (or use ~/.aws/credentials)
-export AWS_ACCESS_KEY_ID="YOUR_AWS_ACCESS_KEY_ID"
-export AWS_SECRET_ACCESS_KEY="YOUR_AWS_SECRET_ACCESS_KEY"
-export AWS_REGION="us-east-1"
-
-# Google Cloud Config
-# Format: //iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL_ID>/providers/<PROVIDER_ID>
-export GCP_WORKLOAD_AUDIENCE="//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/my-pool/providers/my-aws-provider"
-export GCS_BUCKET_NAME="your-bucket-name"
-
-# Optional: Service Account Impersonation
-# export GCP_SERVICE_ACCOUNT_IMPERSONATION_URL="https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/my-sa@my-project.iam.gserviceaccount.com:generateAccessToken"
-```
-
-#### 2. Run the Sample
-
-```bash
-node custom-credential-supplier-aws.js
-```
-
-#### Running in Kubernetes (EKS)
-
-To run this in an EKS cluster using IAM Roles for Service Accounts (IRSA):
-
-1.  **Configure IRSA:** Associate an AWS IAM Role with your Kubernetes Service Account.
-2.  **Configure GCP:** Allow the AWS IAM Role ARN to impersonate your Workload Identity Pool.
-3.  **Deploy:** When deploying your Node.js application, ensure the Pod uses the annotated Service Account. The AWS SDK in the sample will automatically detect the credentials injected by the EKS OIDC webhook.
-
----
-
-### Custom Okta Credential Supplier
-
-This sample demonstrates how to use a custom `SubjectTokenSupplier` to fetch an OIDC token from **Okta** using the Client Credentials flow and exchange it for Google Cloud credentials via Workload Identity Federation.
-
-#### 1. Okta Configuration
-
-Ensure you have an Okta Machine-to-Machine (M2M) application set up with "Client Credentials" grant type enabled. You will need the Domain, Client ID, and Client Secret.
-
-#### 2. Set Environment Variables
-
-```bash
-# Okta Configuration
-export OKTA_DOMAIN="https://your-okta-domain.okta.com"
-export OKTA_CLIENT_ID="your-okta-client-id"
-export OKTA_CLIENT_SECRET="your-okta-client-secret"
-
-# Google Cloud Config
-export GCP_WORKLOAD_AUDIENCE="//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/my-pool/providers/my-oidc-provider"
-export GCS_BUCKET_NAME="your-bucket-name"
-
-# Optional: Service Account Impersonation
-# export GCP_SERVICE_ACCOUNT_IMPERSONATION_URL="https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/my-sa@my-project.iam.gserviceaccount.com:generateAccessToken"
-```
-
-#### 3. Run the Sample
-
-```bash
-node custom-credential-supplier-okta.js
-```
-
 ### Additional resources
 
 For more information on downscoped credentials you can visit:

auth/customcredentials/aws/Dockerfile

@@ -0,0 +1,25 @@
+# Use the official Node.js image.
+# https://hub.docker.com/_/node
+FROM node:20-slim
+
+# Create and change to the app directory.
+WORKDIR /app
+
+# Copy application dependency manifests to the container image.
+# A wildcard is used to ensure both package.json AND package-lock.json are copied.
+COPY package*.json ./
+
+# Install production dependencies.
+RUN npm install --omit=dev
+
+# Create a non-root user for security
+RUN useradd -m appuser
+
+# Copy local code to the container image.
+COPY --chown=appuser:appuser . .
+
+# Switch to non-root user
+USER appuser
+
+# Run the web service on container startup.
+CMD [ "node", "customCredentialSupplierAws.js" ]

auth/customcredentials/aws/README.md

@@ -0,0 +1,122 @@
+# Running the Custom AWS Credential Supplier Sample (Node.js)
+
+This sample demonstrates how to use a custom AWS security credential supplier to authenticate with Google Cloud using AWS as an external identity provider. It uses the **AWS SDK for JavaScript (v3)** to fetch credentials from sources like Amazon Elastic Kubernetes Service (EKS) with IAM Roles for Service Accounts (IRSA), Elastic Container Service (ECS), or Fargate.
+
+## Prerequisites
+
+*   An AWS account.
+*   A Google Cloud project with the IAM API enabled.
+*   A GCS bucket.
+*   **Node.js 16** or later installed.
+*   **npm** installed.
+
+If you want to use AWS security credentials that cannot be retrieved using methods supported natively by the Google Auth library, a custom `AwsSecurityCredentialsSupplier` implementation may be specified. The supplier must return valid, unexpired AWS security credentials when called by the Google Cloud Auth library.
+
+## Running Locally
+
+For local development, you can provide credentials and configuration in a JSON file.
+
+### Install Dependencies
+
+Ensure you have Node.js installed, then install the required libraries:
+
+```bash
+npm install
+```
+
+### Configure Credentials for Local Development
+
+1.  Copy the example secrets file to a new file named `custom-credentials-aws-secrets.json` in the project root:
+    ```bash
+    cp custom-credentials-aws-secrets.json.example custom-credentials-aws-secrets.json
+    ```
+2.  Open `custom-credentials-aws-secrets.json` and fill in the required values for your AWS and Google Cloud configuration. Do not check your `custom-credentials-aws-secrets.json` file into version control.
+
+
+### Run the Application
+
+Execute the script using node:
+
+```bash
+node customCredentialSupplierAws.js
+```
+
+When run locally, the application will detect the `custom-credentials-aws-secrets.json` file and use it to configure the necessary environment variables for the AWS SDK.
+
+## Running in a Containerized Environment (EKS)
+
+This section provides a brief overview of how to run the sample in an Amazon EKS cluster.
+
+### EKS Cluster Setup
+
+First, you need an EKS cluster. You can create one using `eksctl` or the AWS Management Console. For detailed instructions, refer to the [Amazon EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html).
+
+### Configure IAM Roles for Service Accounts (IRSA)
+
+IRSA enables you to associate an IAM role with a Kubernetes service account. This provides a secure way for your pods to access AWS services without hardcoding long-lived credentials.
+
+Run the following command to create the IAM role and bind it to a Kubernetes Service Account:
+
+```bash
+eksctl create iamserviceaccount \
+  --name your-k8s-service-account \
+  --namespace default \
+  --cluster your-cluster-name \
+  --region your-aws-region \
+  --role-name your-role-name \
+  --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
+  --approve
+```
+
+> **Note**: The `--attach-policy-arn` flag is used here to demonstrate attaching permissions. Update this with the specific AWS policy ARN your application requires.
+
+For a deep dive into how this works without using `eksctl`, refer to the [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) documentation.
+
+### Configure Google Cloud to Trust the AWS Role
+
+To allow your AWS role to authenticate as a Google Cloud service account, you need to configure Workload Identity Federation. This process involves these key steps:
+
+1.  **Create a Workload Identity Pool and an AWS Provider:** The pool holds the configuration, and the provider is set up to trust your AWS account.
+
+2.  **Create or select a Google Cloud Service Account:** This service account will be impersonated by your AWS role.
+
+3.  **Bind the AWS Role to the Google Cloud Service Account:** Create an IAM policy binding that gives your AWS role the `Workload Identity User` (`roles/iam.workloadIdentityUser`) role on the Google Cloud service account.
+
+For more detailed information, see the documentation on [Configuring Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds).
+
+### Containerize and Package the Application
+
+Create a `Dockerfile` for the Node.js application and push the image to a container registry (for example Amazon ECR) that your EKS cluster can access.
+
+**Note:** The provided [`Dockerfile`](Dockerfile) is an example and may need modification for your specific needs.
+
+Build and push the image:
+```bash
+docker build -t your-container-image:latest .
+docker push your-container-image:latest
+```
+
+### Deploy to EKS
+
+Create a Kubernetes deployment manifest to deploy your application to the EKS cluster. See the [`pod.yaml`](pod.yaml) file for an example.
+
+**Note:** The provided [`pod.yaml`](pod.yaml) is an example and may need to be modified for your specific needs.
+
+Deploy the pod:
+
+```bash
+kubectl apply -f pod.yaml
+```
+
+### Clean Up
+
+To clean up the resources, delete the EKS cluster and any other AWS and Google Cloud resources you created.
+
+```bash
+eksctl delete cluster --name your-cluster-name
+```
+
+## Testing
+
+This sample is not continuously tested. It is provided for instructional purposes and may require modifications to work in your environment.
+```

auth/customcredentials/aws/custom-credentials-aws-secrets.json.example

@@ -0,0 +1,8 @@
+{
+  "aws_access_key_id": "YOUR_AWS_ACCESS_KEY_ID",
+  "aws_secret_access_key": "YOUR_AWS_SECRET_ACCESS_KEY",
+  "aws_region": "YOUR_AWS_REGION",
+  "gcp_workload_audience": "YOUR_GCP_WORKLOAD_AUDIENCE",
+  "gcs_bucket_name": "YOUR_GCS_BUCKET_NAME",
+  "gcp_service_account_impersonation_url": "YOUR_GCP_SERVICE_ACCOUNT_IMPERSONATION_URL"
+}

auth/customCredentialSupplierAws.js …tials/aws/customCredentialSupplierAws.jsauth/customCredentialSupplierAws.js renamed to auth/customcredentials/aws/customCredentialSupplierAws.js auth/customCredentialSupplierAws.js renamed to auth/customcredentials/aws/customCredentialSupplierAws.js

@@ -15,7 +15,10 @@
 // [START auth_custom_credential_supplier_aws]
 const {AwsClient} = require('google-auth-library');
 const {fromNodeProviderChain} = require('@aws-sdk/credential-providers');
+const fs = require('fs');
+const path = require('path');
 const {STSClient} = require('@aws-sdk/client-sts');
+const {Storage} = require('@google-cloud/storage');
 
 /**
  * Custom AWS Security Credentials Supplier.
@@ -93,36 +96,86 @@ async function authenticateWithAwsCredentials(
   audience,
   impersonationUrl
 ) {
-  // 1. Instantiate the custom supplier.
   const customSupplier = new CustomAwsSupplier();
 
-  // 2. Configure the AwsClient options.
   const clientOptions = {
     audience: audience,
     subject_token_type: 'urn:ietf:params:aws:token-type:aws4_request',
     service_account_impersonation_url: impersonationUrl,
     aws_security_credentials_supplier: customSupplier,
   };
 
-  // 3. Create the auth client
-  const client = new AwsClient(clientOptions);
+  const authClient = new AwsClient(clientOptions);
 
-  // 4. Make an authenticated request to GCS.
-  const bucketUrl = `https://storage.googleapis.com/storage/v1/b/${bucketName}`;
-  const res = await client.request({url: bucketUrl});
-  return res.data;
+  const storage = new Storage({
+    authClient: authClient,
+  });
+
+  const [metadata] = await storage.bucket(bucketName).getMetadata();
+  return metadata;
 }
 // [END auth_custom_credential_supplier_aws]
 
+/**
+ * If a local secrets file is present, load it into the process environment.
+ * This is a "just-in-time" configuration for local development. These
+ * variables are only set for the current process.
+ */
+function loadConfigFromFile() {
+  const secretsFile = 'custom-credentials-aws-secrets.json';
+  const secretsPath = path.resolve(__dirname, secretsFile);
+
+  if (!fs.existsSync(secretsPath)) {
+    return;
+  }
+
+  try {
+    const secrets = JSON.parse(fs.readFileSync(secretsPath, 'utf8'));
+
+    if (!secrets) {
+      return;
+    }
+
+    // AWS SDK for Node.js looks for environment variables with specific names.
+    if (secrets.aws_access_key_id) {
+      process.env.AWS_ACCESS_KEY_ID = secrets.aws_access_key_id;
+    }
+    if (secrets.aws_secret_access_key) {
+      process.env.AWS_SECRET_ACCESS_KEY = secrets.aws_secret_access_key;
+    }
+    if (secrets.aws_region) {
+      process.env.AWS_REGION = secrets.aws_region;
+    }
+
+    // Set custom GCP variables so they can be retrieved from process.env.
+    if (secrets.gcp_workload_audience) {
+      process.env.GCP_WORKLOAD_AUDIENCE = secrets.gcp_workload_audience;
+    }
+    if (secrets.gcs_bucket_name) {
+      process.env.GCS_BUCKET_NAME = secrets.gcs_bucket_name;
+    }
+    if (secrets.gcp_service_account_impersonation_url) {
+      process.env.GCP_SERVICE_ACCOUNT_IMPERSONATION_URL =
+        secrets.gcp_service_account_impersonation_url;
+    }
+  } catch (error) {
+    console.error(`Error reading secrets file: ${error.message}`);
+  }
+}
+
 async function main() {
-  require('dotenv').config();
+  // Reads the secrets.json if running locally.
+  loadConfigFromFile();
+
   const gcpAudience = process.env.GCP_WORKLOAD_AUDIENCE;
   const saImpersonationUrl = process.env.GCP_SERVICE_ACCOUNT_IMPERSONATION_URL;
   const gcsBucketName = process.env.GCS_BUCKET_NAME;
 
   if (!gcpAudience || !gcsBucketName) {
     throw new Error(
-      'Missing required environment variables: GCP_WORKLOAD_AUDIENCE, GCS_BUCKET_NAME'
+      'Missing required configuration. Please provide it in a ' +
+        'secrets.json file or as environment variables: ' +
+        'GCP_WORKLOAD_AUDIENCE, GCS_BUCKET_NAME'
     );
   }
 
@@ -134,11 +187,10 @@ async function main() {
       saImpersonationUrl
     );
     console.log('\n--- SUCCESS! ---');
-    console.log('Bucket Name:', bucketMetadata.name);
-    console.log('Bucket Location:', bucketMetadata.location);
+    console.log('Bucket Metadata:', JSON.stringify(bucketMetadata, null, 2));
   } catch (error) {
     console.error('\n--- FAILED ---');
-    console.error(error.response?.data || error);
+    console.error(error.message || error);
     process.exitCode = 1;
   }
 }