Support custom token file location via environment variable with Workload Identity Federation

XMLWordPrintableJSON

    • Type: Spec Change
    • Resolution: Unresolved
    • Priority: Minor - P4
    • None
    • Component/s: Authentication
    • None
    • Needed

      The OIDC/OAuth 2.0 k8s method currently supports the following token locations:

      if 'AZURE_FEDERATED_TOKEN_FILE' in os.environ:
    fname = os.environ['AZURE_FEDERATED_TOKEN_FILE']
elif 'AWS_WEB_IDENTITY_TOKEN_FILE' in os.environ:
    fname = os.environ['AWS_WEB_IDENTITY_TOKEN_FILE']
else:
    fname = '/var/run/secrets/kubernetes.io/serviceaccount/token'

      When using OpenShift on GCP, it would be preferable to use a custom token location (ex: /var/run/secrets/openshift/serviceaccount/token), but to specify this you have to use either the Azure or AWS environment variable, which is not ideal.

      Add a custom environment variable to allow specifying a custom token location. For example:

      if 'AZURE_FEDERATED_TOKEN_FILE' in os.environ:
    fname = os.environ['AZURE_FEDERATED_TOKEN_FILE']
elif 'AWS_WEB_IDENTITY_TOKEN_FILE' in os.environ:
    fname = os.environ['AWS_WEB_IDENTITY_TOKEN_FILE']
elif 'CUSTOM_LOCATION_TOKEN_FILE' in os.environ:
    fname = os.environ['CUSTOM_LOCATION_TOKEN_FILE']
else:
    fname = '/var/run/secrets/kubernetes.io/serviceaccount/token'

      This way, customers using GCP with OpenShift or other environments can specify their token location via the CUSTOM_LOCATION_TOKEN_FILE environment variable instead of reusing Azure or AWS-specific variables.

      References:

            Assignee:
            Unassigned
            Reporter:
            Alex Bevilacqua
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: