Workload identity support (#2126)

* WIP: support for workload identity * WIP: bugfixes to support WI * Added support for Workload Identity * Added missing flag * Refactoring and typo * Updated CHANGELOG.md * Updated docs * Updated changelog * Improved readability and fixed codeclimate issues * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Fixed if statement * Apply suggestions from code review Co-authored-by: Jan Larwig <jan@larwig.com> * Cleanup * Removed target principal * Removed references to target principal * Added docs * Fixed header anchor linking * Update auth.md * Updated generated code * Improved code * Fixed tests --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Jan Larwig <jan@larwig.com>
2025-08-08 22:46:33 +02:00 · 2023-09-04 11:34:54 +02:00
parent 738c09095b
commit a6e8ec81e8
9 changed files with 114 additions and 60 deletions
--- a/pkg/validation/providers.go
+++ b/pkg/validation/providers.go
@ -66,20 +66,32 @@ func validateProvider(provider options.Provider, providerIDs map[string]struct{}

 func validateGoogleConfig(provider options.Provider) []string {
 	msgs := []string{}
-	if len(provider.GoogleConfig.Groups) > 0 ||
-		provider.GoogleConfig.AdminEmail != "" ||
-		provider.GoogleConfig.ServiceAccountJSON != "" {
-		if len(provider.GoogleConfig.Groups) < 1 {
-			msgs = append(msgs, "missing setting: google-group")
-		}
-		if provider.GoogleConfig.AdminEmail == "" {
-			msgs = append(msgs, "missing setting: google-admin-email")
-		}
-		if provider.GoogleConfig.ServiceAccountJSON == "" {
-			msgs = append(msgs, "missing setting: google-service-account-json")
-		} else if _, err := os.Stat(provider.GoogleConfig.ServiceAccountJSON); err != nil {
-			msgs = append(msgs, fmt.Sprintf("invalid Google credentials file: %s", provider.GoogleConfig.ServiceAccountJSON))
+
+	hasGoogleGroups := len(provider.GoogleConfig.Groups) >= 1
+	hasAdminEmail := provider.GoogleConfig.AdminEmail != ""
+	hasSAJSON := provider.GoogleConfig.ServiceAccountJSON != ""
+	useADC := provider.GoogleConfig.UseApplicationDefaultCredentials
+
+	if !hasGoogleGroups && !hasAdminEmail && !hasSAJSON && !useADC {
+		return msgs
+	}
+
+	if !hasGoogleGroups {
+		msgs = append(msgs, "missing setting: google-group")
+	}
+	if !hasAdminEmail {
+		msgs = append(msgs, "missing setting: google-admin-email")
+	}
+
+	_, err := os.Stat(provider.GoogleConfig.ServiceAccountJSON)
+	if !useADC {
+		if !hasSAJSON {
+			msgs = append(msgs, "missing setting: google-service-account-json or google-use-application-default-credentials")
+		} else if err != nil {
+			msgs = append(msgs, fmt.Sprintf("Google credentials file not found: %s", provider.GoogleConfig.ServiceAccountJSON))
 		}
+	} else if hasSAJSON {
+		msgs = append(msgs, "invalid setting: can't use both google-service-account-json and google-use-application-default-credentials")
 	}

 	return msgs