Use Service Account Credentials API to sign JWTs

The IAM endpoint to sign JWTs is deprecated, and users are asked to migrate to the Service Account Credentials API instead. See https://cloud.google.com/iam/docs/migrating-to-credentials-api
hashicorp · Apr 26, 2021 · f40e64b · f40e64b
1 parent e266c35
commit f40e64b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 9 deletions.
diff --git a/.changelog/1389.txt b/.changelog/1389.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+plugin/vault: Use new Service Account Credentials API for GCP SignJWT endpoint
+```
diff --git a/builtin/vault/internal/auth/gcp/gcp.go b/builtin/vault/internal/auth/gcp/gcp.go
@@ -16,7 +16,7 @@ import (
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/sdk/helper/parseutil"
 	"golang.org/x/oauth2"
-	iam "google.golang.org/api/iam/v1"
+	iam "google.golang.org/api/iamcredentials/v1"
 
 	"github.com/hashicorp/waypoint/builtin/vault/internal/auth"
 )
@@ -181,13 +181,6 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		project := "-"
-		if g.project != "" {
-			project = g.project
-		} else if credentials != nil {
-			project = credentials.ProjectId
-		}
-
 		ttlMin := int64(defaultIamMaxJwtExpMinutes)
 		if g.jwtExp != 0 {
 			ttlMin = g.jwtExp
@@ -215,7 +208,9 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		resourceName := fmt.Sprintf("projects/%s/serviceAccounts/%s", project, serviceAccount)
+		// JWTs are signed via the IAM Service Account Credentials API.
+		// See https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
+		resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", serviceAccount)
 		resp, err := iamClient.Projects.ServiceAccounts.SignJwt(resourceName, jwtReq).Do()
 		if err != nil {
 			retErr = errwrap.Wrapf(fmt.Sprintf("unable to sign JWT for %s using given Vault credentials: {{err}}", resourceName), err)