Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable MTLS and Identity-bound token when using Google Api client libraries #1895

Open
xmenxk opened this issue Mar 7, 2023 · 0 comments
Open

Enable MTLS and Identity-bound token when using Google Api client libraries #1895

xmenxk opened this issue Mar 7, 2023 · 0 comments
Assignees
@codyoss
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@xmenxk
Copy link
Contributor

xmenxk commented Mar 7, 2023

Google client libraries use Application Default Credentials (ADC) to select credentials. When running in GCP the default option is getting a bearer token from metadata service, and use it over a TLS connection to Google Apis.

We can improve security by integrating with S2A, where a workload can obtain identity-bound token and use it to talk to Google Apis, over a MTLS connection.

S2A is Google's Secure Session Agent, which is part of the cloud infrastructure.
@xmenxk xmenxk added priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. labels Mar 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codyoss codyoss

Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xmenxk @codyoss