feat(auth): AWS sourced external accounts

[alvarowolfx]

Towards #3644

[codecov]

Codecov Report

❌ Patch coverage is 90.10417% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 94.90%. Comparing base (b7e90c7) to head (134f14a).
⚠️ Report is 15 commits behind head on main.

Files with missing lines	Patch %	Lines
...redentials/external_account_sources/aws_sourced.rs	90.60%	17 Missing ⚠️
src/auth/src/credentials/external_account.rs	81.81%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4790      +/-   ##
==========================================
- Coverage   95.03%   94.90%   -0.14%     
==========================================
  Files         199      200       +1     
  Lines        7772     7961     +189     
==========================================
+ Hits         7386     7555     +169     
- Misses        386      406      +20     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[alvarowolfx]

Successfully tested using our internal go/3pi-sdk-testing process.

use google_cloud_auth::credentials::Builder;
use google_cloud_storage::client::StorageControl;

const BUCKET_ID: &str = "REDACTED";

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    println!("Building Credentials...");
    // Will use ADC with the environment variable set
    let creds = Builder::default().build()?;
    println!("Credentials built: {:?}", creds);

    let client = StorageControl::builder()
        .with_credentials(creds)
        .build()
        .await?;
    let bucket = client
        .get_bucket()
        .set_name(format!("projects/_/buckets/{BUCKET_ID}"))
        .send()
        .await?;
    println!("successfully obtained bucket metadata {bucket:?}");

    Ok(())
}

output:

[REDACTED rust]$ export GOOGLE_APPLICATION_CREDENTIALS=/home/ec2-user/aws-credentials.json
[REDACTED rust]$ ./external_account 
Building Credentials...
Credentials built: Credentials { inner: AccessTokenCredentials { inner: ExternalAccountCredentials { token_provider: TokenCache { rx_token: Receiver { shared: Shared { value: RwLock(PhantomData<std::sync::poison::rwlock::RwLock<core::option::Option<core::result::Result<(google_cloud_auth::token::Token, google_cloud_auth::credentials::EntityTag), google_cloud_gax::error::credentials::CredentialsError>>>>, RwLock { data: None }), version: Version(0), is_closed: false, ref_count_rx: 1 }, version: Version(0) } }, quota_project_id: None } } }

successfully obtained bucket metadata Bucket { name: "projects/_/buckets/REDACTED", bucket_id: "REDACTED ", etag: "CAg=", project: "projects/REDACTED", metageneration: 8, location: "US", location_type: "multi-region", storage_class: "STANDARD", rpo: "DEFAULT", acl: [], default_object_acl: [], lifecycle: None, create_time: Some(Timestamp { seconds: 1600382470, nanos: 633000000 }), cors: [], update_time: Some(Timestamp { seconds: 1719936392, nanos: 166000000 }), default_event_based_hold: false, labels: {}, website: None, versioning: None, logging: None, owner: None, encryption: None, billing: None, retention_policy: None, iam_config: Some(IamConfig { uniform_bucket_level_access: Some(UniformBucketLevelAccess { enabled: false, lock_time: None }), public_access_prevention: "inherited" }), satisfies_pzs: false, custom_placement_config: None, autoclass: None, hierarchical_namespace: None, soft_delete_policy: Some(SoftDeletePolicy { retention_duration: Some(Duration { seconds: 604800, nanos: 0 }), effective_time: Some(Timestamp { seconds: 1709280000, nanos: 0 }) }), object_retention: None, ip_filter: None }

[coryan]

Pretty good, a few nits and suggestions. Try to refactor the code making HTTP requests so the error handling is all in one place.

[coryan]

nit: move above with the other constants?

[coryan]

nit: remove the blank line.

[coryan]

If you are already going to use url::Url::parse() shouldn't that be able to handle the missing scheme?

[coryan]

Consider:

Suggested change

	fn parse_region_from_zone(zone: &str) -> Option<String> {
	let zone = zone.trim();
	if zone.is_empty() {
	return None;
	}
	if let Some(last_char) = zone.chars().last() {
	if last_char.is_ascii_alphabetic() && zone.len() > 1 {
	let potential_region = &zone[..zone.len() - 1];
	if potential_region
	.chars()
	.last()
	.is_some_and(|c| c.is_ascii_digit())
	{
	return Some(potential_region.to_string());
	}
	}
	}
	Some(zone.to_string())
	}
	fn parse_region_from_zone(zone: &str) -> Option<&str> {
	let zone = zone.trim();
	let parts: Vec<&str> = id.split('-').collect();
	match &parts[..] {
	[geo, region, letter] if !letter.is_empty() && !geo.is_empty() => Some(region),
	_ => None,
	}
	}

If you push me, we can save the memory allocation using:

fn parse_region_from_zone(zone: &str) -> Option<&str> {
    let zone = zone.trim();
    let parts = id.split('-');
    match (parts.next(), parts.next(), parts.next(), parts.next()) {
        (Some(geo), Some(region), Some(z), None] if !z.is_empty() && !geo.is_empty() => Some(region),
        _ => None,
    }
}

[coryan]

Ah, I see in the tests that AWS zones can have four parts: just add a branch to the match case.

[coryan]

This block repeats at least 3 times. Time to refactor to a function?

[coryan]

This is a prior repeat...

[coryan]

Here is another...

[coryan]

nit: insert these in alphabetical order.

[coryan]

nit: 2026