Skip to content
This repository has been archived by the owner on Jan 8, 2024. It is now read-only.

Update internal GCP Auth to use new SignJWT endpoint #1389

Merged
merged 1 commit into from May 6, 2021
Merged

Update internal GCP Auth to use new SignJWT endpoint #1389

merged 1 commit into from May 6, 2021

Conversation

catsby
Copy link
Member

@catsby catsby commented Apr 26, 2021
edited

Updates Waypoints' internal GCP auth to use GCP's IAM Service Account Credential endpoint for signing JWTs, as the IAM endpoint versions are deprecated and being turned off (not totally sure when but speculation/inference is around July 1, 2021). See https://cloud.google.com/iam/docs/migrating-to-credentials-api for more information on the deprecation and migration.

I'm honestly not sure where this is used and there isn't a directly related test file associated with this, so I have not tested other than to ensure the project still compiles.

See also for more backstory:

Note: I added the pr/no-changelog label because I didn't feel this change warranted it, but let me know if you'd prefer one added

@catsby catsby added the pr/no-changelog No automatic changelog entry required for this pull request label Apr 26, 2021
briancain
briancain reviewed Apr 26, 2021
View reviewed changes
Copy link
Member

@briancain briancain left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @catsby ! Thanks.

I think we'll also want to update 👇🏻 too?

waypoint/builtin/google/cloudrun/platform.go

Lines 154 to 157 in 1a46a87

apiResource := fmt.Sprintf("projects/%s/serviceAccounts/%s",
p.config.Project,
p.config.ServiceAccountName,
)

I could see this needing a CHANGELOG entry only because in the future, older Waypoints will probably fail once the endpoint is deprecated? It might be nice in that sense to remember when the update to the new endpoint usage was released.

@briancain briancain requested a review from a team April 26, 2021 18:50
@catsby
Copy link
Member Author

catsby commented Apr 26, 2021

Hey @briancain - I believe the usage in google/cloudrun/platform.go is correct; the URL change from projects/%s/serviceAccounts/%s to projects/-/serviceAccounts/%s only pertains to the Service Account Credentials API. The API to test permissions seems to be correct. The changes required only matter for signing JWTs, and I'm not finding spots in the Waypoint code where that method is otherwise called. Let me know what you think, maybe I'm missing something?

@briancain briancain removed the pr/no-changelog No automatic changelog entry required for this pull request label Apr 26, 2021
krantzinator
krantzinator approved these changes Apr 26, 2021
View reviewed changes
Copy link
Contributor

@krantzinator krantzinator left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ran through a release to GCP with this and it works 🎉

@catsby
Use Service Account Credentials API to sign JWTs
ff0bd88 
The IAM endpoint to sign JWTs is deprecated, and users are asked to
migrate to the Service Account Credentials API instead.

See https://cloud.google.com/iam/docs/migrating-to-credentials-api
briancain
briancain approved these changes Apr 26, 2021
View reviewed changes
Copy link
Member

@briancain briancain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻 looks good!

@catsby catsby merged commit 62c0ea8 into main May 6, 2021
@catsby catsby deleted the update-gcp-signjwt branch May 6, 2021 14:42
@hc-github-team-waypoint hc-github-team-waypoint mentioned this pull request May 6, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@briancain briancain briancain approved these changes

@krantzinator krantzinator krantzinator approved these changes

Assignees
No one assigned
Labels
plugin
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@catsby @briancain @krantzinator