Add Workload Identity Federation authentication method for AWS #106
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add access_token as a new authentication method for BigQuery. This allows direct authentication using OAuth access tokens without requiring a service account JSON keyfile. - PluginTask: Add access_token option, make json_keyfile Optional - Auth: Add access_token authentication handling - BigqueryClient: Update to handle Optional json_keyfile - README: Add documentation for access_token option 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add support for authenticating to BigQuery using AWS credentials via Workload Identity Federation. This allows users to authenticate without storing Google Cloud service account keys by leveraging AWS IAM credentials. - Add WorkloadIdentityFederationConfig for nested configuration - Add WorkloadIdentityFederationAuth for AWS signed request and token exchange - Add WorkloadIdentityFederationCredentials with token refresh support - Update Auth to support workload_identity_federation auth method - Update PluginTask with workload_identity_federation config option - Update README with documentation and examples 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove the access_token auth method in favor of workload_identity_federation which provides better security by not requiring direct token handling. - Remove access_token field and getter from PluginTask - Remove access_token handling from Auth class - Update README to remove access_token documentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Extract TOKEN_LIFETIME_SECONDS constant for token expiration time - Add debug logging for non-sensitive response fields (expires_in, token_type, etc.) - Remove unnecessary devstorage.read_write scope, keep only bigquery scope 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Simplify the configuration parameter name from json_keyfile to config for better clarity and consistency. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…AwsCredentials - Replace manual AWS signature implementation with AwsCredentials and AwsSecurityCredentialsSupplier - Use ImpersonatedCredentials for service account impersonation - Add aws_session_token support for temporary credentials - Add scopes parameter to credential caching - Upgrade google-auth-library-oauth2-http to 1.41.0 - Add google-http-client-gson 1.45.3 for Gson support 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…tion Allow accessing BigQuery directly without service account impersonation by making service_account_impersonation_url optional. When omitted from the WIF config, the federated token is used directly instead of impersonating a service account. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
katamotokosuke
approved these changes
Jan 7, 2026
katamotokosuke
deleted the
feature/add-workload-identity-federation-auth
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Add Workload Identity Federation authentication method for AWS-to-GCP authentication
Changes
New authentication method:
workload_identity_federationThis allows users to authenticate to Google Cloud using AWS credentials through Workload Identity Federation, eliminating the need to store Google Cloud service account keys.
Configuration options
workload_identity_federation.configworkload_identity_federation.aws_access_key_idworkload_identity_federation.aws_secret_access_keyworkload_identity_federation.aws_session_tokenworkload_identity_federation.aws_regionExample configuration