Skip to content

feat: add workload identity federation support for AWS ECS tasks (#496)#674

Open
cy-yun wants to merge 1 commit into
mainfrom
ecs-wif-support
Open

feat: add workload identity federation support for AWS ECS tasks (#496)#674
cy-yun wants to merge 1 commit into
mainfrom
ecs-wif-support

Conversation

@cy-yun

@cy-yun cy-yun commented Jul 7, 2026

Copy link
Copy Markdown

Add support for AWS ECS (Elastic Container Service) credentials in AwsNativeSource

Description

This PR introduces native support for retrieving AWS credentials from the ECS Container Metadata endpoint within AwsNativeSource.

Previously, when running applications inside an Amazon ECS or AWS Fargate container with IAM Roles for Tasks configured, the library could not automatically resolve the temporary container credentials, as it primarily supported EC2 IMDSv2 metadata endpoints, explicit credentials via URLs, or static environment variables (AWS_ACCESS_KEY_ID, etc).

With this change, AwsNativeSource natively honors standard AWS ECS environment variables:

  • AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
  • AWS_CONTAINER_CREDENTIALS_FULL_URI
  • AWS_CONTAINER_AUTHORIZATION_TOKEN
  • AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE

When detected, the library fetches the temporary AccessKeyId, SecretAccessKey, and Token from the ECS metadata server, allowing seamless workload identity federation between AWS ECS/Fargate and Google Cloud.

Changes Made

  • Added AwsNativeSource::getSigningVarsFromEcs to probe and execute HTTP requests to the ECS container metadata endpoint.
  • Included parsing and fallback logic for authorization tokens (AWS_CONTAINER_AUTHORIZATION_TOKEN and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE).
  • Validated the presence of required JSON response properties to ensure type safety.
  • Injected getSigningVarsFromEcs into the credential resolution fallback chain (after Env variables, but before generic URLs).
  • Added corresponding unit tests in AwsNativeSourceTest for both relative and full URI resolutions, as well as token/file variations.

How the Customer Uses It

Customers do not need to change any application code.

When a PHP application using google/auth is deployed on Amazon ECS or AWS Fargate with a Task IAM Role assigned, the flow works automatically:

  1. The customer configures Google Cloud Workload Identity Federation to trust their AWS account/role.
  2. They generate the generic GCP External Account credentials JSON file.
  3. They set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to this JSON file in their container.
  4. AWS ECS injects the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable into the running container implicitly.
  5. This library detects the variable, automatically queries the ECS metadata endpoint for the container's temporary AWS credentials, signs the GetCallerIdentity request, and exchanges it securely for a Google Cloud token.

@cy-yun cy-yun requested a review from a team as a code owner July 7, 2026 01:38
@cy-yun cy-yun force-pushed the ecs-wif-support branch 3 times, most recently from 54fe56d to 06f782a Compare July 7, 2026 07:18
@cy-yun cy-yun force-pushed the ecs-wif-support branch from 06f782a to 52ba443 Compare July 7, 2026 07:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants