Auth via Google's `auth` GitHub Action

[jennybc]

https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions

Given that gargle already supports Application Default Credentials, I am optimistic it won't be too hard to make use of this.

[gvelasq]

Thank you for considering this functionality. I have been trying to build a GitHub Action that uses the YouTube Data API v3, and it would be great to be able to do it all without having to upload a secret. I haven't had luck finding a flow in httr, httr2, or gargle that can handle the access_token returned from the auth GitHub Action:

on: [push]

name: youtube-api-test

jobs:
  youtube-api-test:
    runs-on: macOS-latest
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@v0'
        with:
          token_format: 'access_token'
          workload_identity_provider: 'projects/977381217576/locations/global/workloadIdentityPools/youtube-data-api/providers/youtube-data-api'
          service_account: 'youtube-data-api@logical-waters-347600.iam.gserviceaccount.com'
      - uses: r-lib/actions/setup-r@v2
      - uses: r-lib/actions/setup-r-dependencies@v2
        with:
          cache-version: 2
      - name: 'Explore access_token names'
        run: |
          Rscript -e 'access_token <- jsonlite::fromJSON(Sys.getenv("GOOGLE_APPLICATION_CREDENTIALS"))' \
                  -e 'names(access_token)'

This returns the following names:

[1] "type"                              "audience"                         
[3] "subject_token_type"                "token_url"                        
[5] "service_account_impersonation_url" "credential_source"

Since some R API wrapper package functions (e.g., tuber::list_channel_videos()) expect a httr::oauth2.0_token(), would this auth flow permit the resulting WifToken or other returned files to be compatible with different R API wrapper packages depending on whether they were implemented in httr, httr2, or gargle?

[igrave]

Hi, I have implemented this workflow natively in gargle so that I can test my package without having to supply service account secrets to workflows.

#290

Using the auth action could also work if you hack together a Token object directly from the access_token string. That approach requires editing your github actions, whereas this native approach could be used in any package directly, eg in tests.
(Actually you also have to set the id-token: 'write' permission in your workflow but nothing else.)

As usual some setup is required on the Google Cloud side:
https://github.com/google-github-actions/auth/blob/71f986410dfbc7added4569d411d040a91dc6935/README.md#workload-identity-federation-through-a-service-account

[igrave]

@jennybc Do you have any interest in incorporating something like this into gargle? If not I'll try to spin it out into it's own package. #290

[avahoffman]

+1 for interest in google-github-actions/auth <> gargle functionality! We'd also like to move away from supplying service account keys as secrets. Our use case is scheduling pulls from Google Sheets (ideally paired with googlesheets4).

@igrave did you implement this elsewhere? We'd be happy to test.

[igrave]

Hi @avahoffman
I didn't get the chance to spin this out properly yet.
I have an alternative at https://github.com/igrave/ladder/blob/main/R/gauth_token.R that can use the access_token directly from the google auth action to construct the R6 token object, which you could pass to the *_auth() function

token <- GAuthToken$new(access_token = access_token)
googlesheets4::gs4_auth(token = token)

Please make an issue over there if you're interested.