Background
Credential vending needs a control plane to issue temporary, scoped GCS credentials. For GCP, the native mechanism is OAuth2 token downscoping with Credential Access Boundaries (CAB): a source access token is exchanged for a downscoped access token restricted to a bucket and object prefix.
reqsign-google already has useful primitives for ADC, external account STS exchange, service account impersonation, and token credentials. However, it does not expose a CAB downscope token exchange primitive today.
Proposal
Add a GCP downscoped token API to reqsign_google that can:
- build a Credential Access Boundary for a bucket/prefix and a set of GCS role permissions;
- exchange a source OAuth2 access token via
https://sts.googleapis.com/v1/token;
- return a
Credential::with_token(Token { access_token, expires_at }) or a lower-level token result that callers can convert into a credential;
- use
Context::http_send instead of depending on a concrete HTTP client.
The API should be usable by a catalog/namespace service that already made its own authorization decision and now needs to vend scoped object-store credentials.
Non-goals
- Do not add catalog or namespace authorization logic to reqsign.
- Do not add Lance/object_store storage option maps to reqsign-core.
- Do not add a new global dynamic credential provider abstraction.
Why this is needed
Without CAB downscoping, downstream projects still need to keep their own GCP token exchange implementation even if they use reqsign for ADC, WIF, impersonation, and request signing.
Background
Credential vending needs a control plane to issue temporary, scoped GCS credentials. For GCP, the native mechanism is OAuth2 token downscoping with Credential Access Boundaries (CAB): a source access token is exchanged for a downscoped access token restricted to a bucket and object prefix.
reqsign-google already has useful primitives for ADC, external account STS exchange, service account impersonation, and token credentials. However, it does not expose a CAB downscope token exchange primitive today.
Proposal
Add a GCP downscoped token API to
reqsign_googlethat can:https://sts.googleapis.com/v1/token;Credential::with_token(Token { access_token, expires_at })or a lower-level token result that callers can convert into a credential;Context::http_sendinstead of depending on a concrete HTTP client.The API should be usable by a catalog/namespace service that already made its own authorization decision and now needs to vend scoped object-store credentials.
Non-goals
Why this is needed
Without CAB downscoping, downstream projects still need to keep their own GCP token exchange implementation even if they use reqsign for ADC, WIF, impersonation, and request signing.