Update Agent Auth with GCP to use new SignJWT endpoint (#11473)

* Update Agent Auth with GCP to use new SignJWT endpoint * use iamcredentials name instead of renaming the package on import * add changelog * Update changelog/11473.txt Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
hashicorp · Apr 30, 2021 · f4c0958 · f4c0958
1 parent 6101e0e
commit f4c0958
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 12 deletions.
diff --git a/changelog/11473.txt b/changelog/11473.txt
@@ -0,0 +1,4 @@
+```release-note:change
+agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
+when using GCP Auto-Auth method
+```
diff --git a/command/agent/auth/gcp/gcp.go b/command/agent/auth/gcp/gcp.go
@@ -17,7 +17,7 @@ import (
 	"github.com/hashicorp/vault/command/agent/auth"
 	"github.com/hashicorp/vault/sdk/helper/parseutil"
 	"golang.org/x/oauth2"
-	iam "google.golang.org/api/iam/v1"
+	"google.golang.org/api/iamcredentials/v1"
 )
 
 const (
@@ -161,7 +161,7 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 	default:
 		ctx := context.WithValue(context.Background(), oauth2.HTTPClient, cleanhttp.DefaultClient())
 
-		credentials, tokenSource, err := gcputil.FindCredentials(g.credentials, ctx, iam.CloudPlatformScope)
+		credentials, tokenSource, err := gcputil.FindCredentials(g.credentials, ctx, iamcredentials.CloudPlatformScope)
 		if err != nil {
 			retErr = errwrap.Wrapf("could not obtain credentials: {{err}}", err)
 			return
@@ -180,13 +180,6 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		project := "-"
-		if g.project != "" {
-			project = g.project
-		} else if credentials != nil {
-			project = credentials.ProjectId
-		}
-
 		ttlMin := int64(defaultIamMaxJwtExpMinutes)
 		if g.jwtExp != 0 {
 			ttlMin = g.jwtExp
@@ -204,17 +197,17 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		jwtReq := &iam.SignJwtRequest{
+		jwtReq := &iamcredentials.SignJwtRequest{
 			Payload: string(payloadBytes),
 		}
 
-		iamClient, err := iam.New(httpClient)
+		iamClient, err := iamcredentials.New(httpClient)
 		if err != nil {
 			retErr = errwrap.Wrapf("could not create IAM client: {{err}}", err)
 			return
 		}
 
-		resourceName := fmt.Sprintf("projects/%s/serviceAccounts/%s", project, serviceAccount)
+		resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", serviceAccount)
 		resp, err := iamClient.Projects.ServiceAccounts.SignJwt(resourceName, jwtReq).Do()
 		if err != nil {
 			retErr = errwrap.Wrapf(fmt.Sprintf("unable to sign JWT for %s using given Vault credentials: {{err}}", resourceName), err)