Feature: Add "User Service Account Impersonation" auth mode for GCP #7223
Description
PR: #7224
Idea: Add an auth mode for GCP that allows Cromwell to impersonate a service account and use short-lived credentials for calls to GCP.
Context: Service account impersonation is now the defacto recommendation when choosing an authentication mechanism that relies on service accounts. Some teams (such as Verily) might prefer this approach over the current option to rely on downloaded service account keys.
How it works
Users would specify an auth block in the .conf file with one of the following formats. The first specifies
- Application default credentials used for source service account
{
name = "user-service-account"
scheme = "user_service_account_impersonation"
}
- A specified JSON file used for source service account
{
name = "user-service-account"
scheme = "user_service_account_impersonation"
json-file= "path/to/file.json"
}
Users would then add the following option when making workflow requests:
{
"user_service_account_email": "someemail@domain.com
}
Cromwell would use the source service account to impersonate the target service account from the workflowOptions. It would then mint and refresh access tokens from this target service account for all GCP requests.
In order for this to work, the source service account would need the IAM role roles/iam.serviceAccountTokenCreator.
If the team would prefer a smaller PR
We could change this to only ever use applicationDefaultCredentials, in which case we could remove parts of the code that are altering ServiceAccountMode