Skip to content

Coerce Credentials to handle GCP OIDC #491

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Apr 14, 2022
Merged

Coerce Credentials to handle GCP OIDC #491

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8a9cbf9
attempt to handle GCPs OIDC credentials
dacbd Apr 9, 2022
0078ba0
yank from project from oidc json creds
dacbd Apr 13, 2022
1cecc2a
hacky test
dacbd Apr 13, 2022
bfd9aff
Revert "hacky test"
dacbd Apr 13, 2022
4082ba2
remove old comment
dacbd Apr 13, 2022
33c7cf3
better var name
dacbd Apr 13, 2022
55c3e6a
simply
dacbd Apr 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion iterative/gcp/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,7 +324,27 @@ func getProjectService() (string, *gcp_compute.Service, error) {
}

if credentials.ProjectID == "" {
return "", nil, errors.New("Couldn't extract the project identifier from the given credentials!")
// Coerce Credentials to handle GCP OIDC auth
// Common ProjectID ENVs:
// https://github.com/google-github-actions/auth/blob/b05f71482f54380997bcc43a29ef5007de7789b1/src/main.ts#L187-L191
// https://github.com/hashicorp/terraform-provider-google/blob/d6734812e2c6a679334dcb46932f4b92729fa98c/google/provider.go#L64-L73
coercedProjectID := utils.MultiEnvLoadFirst([]string{
"CLOUDSDK_CORE_PROJECT",
"CLOUDSDK_PROJECT",
"GCLOUD_PROJECT",
"GCP_PROJECT",
"GOOGLE_CLOUD_PROJECT",
"GOOGLE_PROJECT",
})
if coercedProjectID == "" {
// last effort to load
fromCredentialsID, err := utils.GCPCoerceOIDCCredentials(credentials.JSON)
if err != nil {
return "", nil, fmt.Errorf("Couldn't extract the project identifier from the given credentials!: [%w]", err)
}
coercedProjectID = fromCredentialsID
}
credentials.ProjectID = coercedProjectID
}

os.Setenv("GOOGLE_APPLICATION_CREDENTIALS_DATA", string(credentials.JSON))
Expand Down
34 changes: 34 additions & 0 deletions iterative/utils/helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package utils

import (
"context"
"encoding/json"
"errors"
"fmt"
"os"
"strings"
Expand Down Expand Up @@ -89,6 +91,38 @@ func SetId(d *schema.ResourceData) {
}
}

func MultiEnvLoadFirst(envs []string) string {
for _, val := range envs {
if env_value := os.Getenv(val); env_value != "" {
return env_value
}
}
return ""
}

func GCPCoerceOIDCCredentials(rawCreds []byte) (string, error) {
hack := make(map[string]interface{})
err := json.Unmarshal(rawCreds, &hack)
if err != nil {
return "", err
}
saString := fmt.Sprint(hack["service_account_impersonation_url"])
// saString example: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
if saString == "" {
return "", errors.New("[GCP OIDC] Unable to load service_account_impersonation_url")
}
// from saString, yank this
// -----------------------v.........v----------------------
// (...serviceAccounts/[email protected]:...)
atIndex := strings.Index(saString, "@") + 1
iamIndex := strings.Index(saString, ".iam.")
if atIndex == -1 || iamIndex == -1 {
return "", errors.New("[GCP OIDC] Failed to get Project ID from service_account_impersonation_url")
}
projectID := saString[atIndex:iamIndex]
return projectID, nil
}

func LoadGCPCredentials() string {
credentialsData := os.Getenv("GOOGLE_APPLICATION_CREDENTIALS_DATA")
if len(credentialsData) == 0 {
Expand Down