From f40e64bac07ba0551b531a71ee72906f44c6fd86 Mon Sep 17 00:00:00 2001 From: catsby Date: Mon, 26 Apr 2021 12:45:32 -0500 Subject: [PATCH] Use Service Account Credentials API to sign JWTs The IAM endpoint to sign JWTs is deprecated, and users are asked to migrate to the Service Account Credentials API instead. See https://cloud.google.com/iam/docs/migrating-to-credentials-api --- .changelog/1389.txt | 3 +++ builtin/vault/internal/auth/gcp/gcp.go | 13 ++++--------- 2 files changed, 7 insertions(+), 9 deletions(-) create mode 100644 .changelog/1389.txt diff --git a/.changelog/1389.txt b/.changelog/1389.txt new file mode 100644 index 00000000000..42d77fb5937 --- /dev/null +++ b/.changelog/1389.txt @@ -0,0 +1,3 @@ +```release-note:improvement +plugin/vault: Use new Service Account Credentials API for GCP SignJWT endpoint +``` diff --git a/builtin/vault/internal/auth/gcp/gcp.go b/builtin/vault/internal/auth/gcp/gcp.go index 6b7cad1b477..baad96afa64 100644 --- a/builtin/vault/internal/auth/gcp/gcp.go +++ b/builtin/vault/internal/auth/gcp/gcp.go @@ -16,7 +16,7 @@ import ( "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/sdk/helper/parseutil" "golang.org/x/oauth2" - iam "google.golang.org/api/iam/v1" + iam "google.golang.org/api/iamcredentials/v1" "github.com/hashicorp/waypoint/builtin/vault/internal/auth" ) @@ -181,13 +181,6 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa return } - project := "-" - if g.project != "" { - project = g.project - } else if credentials != nil { - project = credentials.ProjectId - } - ttlMin := int64(defaultIamMaxJwtExpMinutes) if g.jwtExp != 0 { ttlMin = g.jwtExp @@ -215,7 +208,9 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa return } - resourceName := fmt.Sprintf("projects/%s/serviceAccounts/%s", project, serviceAccount) + // JWTs are signed via the IAM Service Account Credentials API. + // See https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt + resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", serviceAccount) resp, err := iamClient.Projects.ServiceAccounts.SignJwt(resourceName, jwtReq).Do() if err != nil { retErr = errwrap.Wrapf(fmt.Sprintf("unable to sign JWT for %s using given Vault credentials: {{err}}", resourceName), err)