You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was investigating the possibility to use this auth plugin to authenticate AI Platform Jobs to Vault using the gce method.
At first, I was happy to find out that the AI Platfom Jobs can access the Google Instance Identity Metadata server the same way as GCEs do, thus returning a signed JWT that proves the instance identity.
I realized later that this plugin can't be used as-is in such case because it requires the Vault cluster to have read access (for Compute and IAM) to the project that contains the host that is trying to authenticate to Vault; this unfortunately isn't possible in the case of AI Platform since Google creates a dedicated project (that gets entirely managed by them) where no possibility is left to add custom permissions to custom service accounts.
Now, I may ask a very foolish question:
Why does this plugin require to validate the JWT by performing additional requests to the Google APIs (Compute + IAM)?
Is it only to retrieve things like label as this comment suggests?
(Referring to the same comment: since you already check that the JWT has been generated in the last minute, why do you consider necessary to perform the additional existence check?)
Is this related to the "check" that the Google docs refers to at point 3)?
If so, why is the signing service account also checked for existence?
Now, my request: would it be possible (in the config or role path):
to allow to specify a custom jwtExpToleranceSec?
to make the "active double check of existance" optional, by adding a new parameter that defaults to the current behavior (perform the double check) but allows to disable it (raising an error if it is used in combination with one of the options that absolutely require to call the APIs, e.g. bound_labels)? (In practice, only the service account could be actually validated for sure, but this may be enough in many cases, as it is with the iam method)
These changes would allow to use this plugin to authenticate easily (and securely, since they are JWT-backed) the AI Platform Jobs, and probably many other product that aren't GCEs but run on GCEs under the hood, so I think they can add great value to this plugin.
Thanks,
Andrea
The text was updated successfully, but these errors were encountered:
Hi,
First of all, thanks for this great project!
I was investigating the possibility to use this auth plugin to authenticate AI Platform Jobs to Vault using the
gcemethod.At first, I was happy to find out that the AI Platfom Jobs can access the Google Instance Identity Metadata server the same way as GCEs do, thus returning a signed JWT that proves the instance identity.
I realized later that this plugin can't be used as-is in such case because it requires the Vault cluster to have read access (for Compute and IAM) to the project that contains the host that is trying to authenticate to Vault; this unfortunately isn't possible in the case of AI Platform since Google creates a dedicated project (that gets entirely managed by them) where no possibility is left to add custom permissions to custom service accounts.
Now, I may ask a very foolish question:
Is it only to retrieve things like label as this comment suggests?
(Referring to the same comment: since you already check that the JWT has been generated in the last minute, why do you consider necessary to perform the additional existence check?)
Is this related to the "check" that the Google docs refers to at point 3)?
If so, why is the signing service account also checked for existence?
Now, my request: would it be possible (in the
configorrolepath):jwtExpToleranceSec?bound_labels)? (In practice, only the service account could be actually validated for sure, but this may be enough in many cases, as it is with theiammethod)These changes would allow to use this plugin to authenticate easily (and securely, since they are JWT-backed) the AI Platform Jobs, and probably many other product that aren't GCEs but run on GCEs under the hood, so I think they can add great value to this plugin.
Thanks,
Andrea
The text was updated successfully, but these errors were encountered: