tustvold commented on issue #5233: URL: https://github.com/apache/arrow-rs/issues/5233#issuecomment-1900402271
Done some more digging, in no particular order **InstanceMetadata** So the instance metadata token endpoint only provides an access token, and no email, although this can be retrieved with a retrieved with ``` curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email ``` **AuthorizedUserCredentials** As described [here](https://google.aip.dev/auth/4113) the configuration metadata does not contain information on the calling identity. Additional as described [here](https://cloud.google.com/docs/authentication/token-types#access) the returned access token is opaque and does not provide information on the identity either. However, the information can be retrieved by calling a specific API endpoint [here](https://cloud.google.com/docs/authentication/token-types#access-contents). ``` curl "https://oauth2.googleapis.com/tokeninfo?access_token=ACCESS_TOKEN"; ``` **HMAC Keys** I am not sure this is something we will want to support, but you can also sign requests using [HMAC keys](https://cloud.google.com/storage/docs/aws-simple-migration#authentication). **Conclusion** I think we will need an approach that allows different signing methodologies based on the underlying credential provider. The simplest way to do this is likely to implement `Signer` for the various different credentials providers, i.e. `SelfSignedJwt`, `InstanceCredentialProvider`, etc... to store an `Arc<dyn Signer>` on `GoogleCloudStorage` and implement `Signer` for by calling through to it. Let me know if anything isn't clear. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
