Skip to content

Commit 3ad0987

Browse files
catsbycatsby
authored
Update Agent Auth with GCP to use new SignJWT endpoint (#11473) (#11508)
1 parent 0cd683b commit 3ad0987

File tree

2 files changed

+9
-12
lines changed

2 files changed

+9
-12
lines changed

changelog/11473.txt

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
```release-note:change
2+
agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
3+
when using GCP Auto-Auth method
4+
```

command/agent/auth/gcp/gcp.go

Lines changed: 5 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ import (
1717
"github.com/hashicorp/vault/command/agent/auth"
1818
"github.com/hashicorp/vault/sdk/helper/parseutil"
1919
"golang.org/x/oauth2"
20-
iam "google.golang.org/api/iam/v1"
20+
"google.golang.org/api/iamcredentials/v1"
2121
)
2222

2323
const (
@@ -161,7 +161,7 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
161161
default:
162162
ctx := context.WithValue(context.Background(), oauth2.HTTPClient, cleanhttp.DefaultClient())
163163

164-
credentials, tokenSource, err := gcputil.FindCredentials(g.credentials, ctx, iam.CloudPlatformScope)
164+
credentials, tokenSource, err := gcputil.FindCredentials(g.credentials, ctx, iamcredentials.CloudPlatformScope)
165165
if err != nil {
166166
retErr = errwrap.Wrapf("could not obtain credentials: {{err}}", err)
167167
return
@@ -180,13 +180,6 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
180180
return
181181
}
182182

183-
project := "-"
184-
if g.project != "" {
185-
project = g.project
186-
} else if credentials != nil {
187-
project = credentials.ProjectId
188-
}
189-
190183
ttlMin := int64(defaultIamMaxJwtExpMinutes)
191184
if g.jwtExp != 0 {
192185
ttlMin = g.jwtExp
@@ -204,17 +197,17 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
204197
return
205198
}
206199

207-
jwtReq := &iam.SignJwtRequest{
200+
jwtReq := &iamcredentials.SignJwtRequest{
208201
Payload: string(payloadBytes),
209202
}
210203

211-
iamClient, err := iam.New(httpClient)
204+
iamClient, err := iamcredentials.New(httpClient)
212205
if err != nil {
213206
retErr = errwrap.Wrapf("could not create IAM client: {{err}}", err)
214207
return
215208
}
216209

217-
resourceName := fmt.Sprintf("projects/%s/serviceAccounts/%s", project, serviceAccount)
210+
resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", serviceAccount)
218211
resp, err := iamClient.Projects.ServiceAccounts.SignJwt(resourceName, jwtReq).Do()
219212
if err != nil {
220213
retErr = errwrap.Wrapf(fmt.Sprintf("unable to sign JWT for %s using given Vault credentials: {{err}}", resourceName), err)

0 commit comments

Comments
 (0)