Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Agent Auth with GCP to use new SignJWT endpoint #11473

Merged
merged 4 commits into from Apr 30, 2021
Merged

Update Agent Auth with GCP to use new SignJWT endpoint #11473

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
27ea94c
Update Agent Auth with GCP to use new SignJWT endpoint
catsby Apr 26, 2021
e0172e5
use iamcredentials name instead of renaming the package on import
catsby Apr 28, 2021
1fd6cd6
add changelog
catsby Apr 29, 2021
a08c499
Update changelog/11473.txt
catsby Apr 30, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions changelog/11473.txt
View file
Open in desktop
@@ -0,0 +1,4 @@
```release-note:change
agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method
```
17 changes: 5 additions & 12 deletions command/agent/auth/gcp/gcp.go
View file
Open in desktop
Expand Up @@ -17,7 +17,7 @@ import (
"github.com/hashicorp/vault/command/agent/auth"
"github.com/hashicorp/vault/sdk/helper/parseutil"
"golang.org/x/oauth2"
iam "google.golang.org/api/iam/v1"
"google.golang.org/api/iamcredentials/v1"
)

const (
Expand Down Expand Up @@ -161,7 +161,7 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
default:
ctx := context.WithValue(context.Background(), oauth2.HTTPClient, cleanhttp.DefaultClient())

credentials, tokenSource, err := gcputil.FindCredentials(g.credentials, ctx, iam.CloudPlatformScope)
credentials, tokenSource, err := gcputil.FindCredentials(g.credentials, ctx, iamcredentials.CloudPlatformScope)
if err != nil {
retErr = errwrap.Wrapf("could not obtain credentials: {{err}}", err)
return
Expand All @@ -180,13 +180,6 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
return
}

project := "-"
if g.project != "" {
project = g.project
} else if credentials != nil {
project = credentials.ProjectId
}

ttlMin := int64(defaultIamMaxJwtExpMinutes)
if g.jwtExp != 0 {
ttlMin = g.jwtExp
Expand All @@ -204,17 +197,17 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
return
}

jwtReq := &iam.SignJwtRequest{
jwtReq := &iamcredentials.SignJwtRequest{
Payload: string(payloadBytes),
}

iamClient, err := iam.New(httpClient)
iamClient, err := iamcredentials.New(httpClient)
if err != nil {
retErr = errwrap.Wrapf("could not create IAM client: {{err}}", err)
return
}

resourceName := fmt.Sprintf("projects/%s/serviceAccounts/%s", project, serviceAccount)
resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", serviceAccount)
resp, err := iamClient.Projects.ServiceAccounts.SignJwt(resourceName, jwtReq).Do()
if err != nil {
retErr = errwrap.Wrapf(fmt.Sprintf("unable to sign JWT for %s using given Vault credentials: {{err}}", resourceName), err)
Expand Down