Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for --impersonate-service-account #417

Closed
xanonid opened this issue Jul 15, 2020 · 11 comments · Fixed by #1460 or #1404
Closed

Support for --impersonate-service-account #417

xanonid opened this issue Jul 15, 2020 · 11 comments · Fixed by #1460 or #1404
Assignees
@enocom
Labels
priority: p0 Highest priority. Critical issue. P0 implies highest priority. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@xanonid
Copy link

xanonid commented Jul 15, 2020

It would be nice, if Cloud SQL Proxy supports the --impersonate-service-account flag similar to the corresponding flag in gcloud. This would help to use impersonation out-of-the-box instead of long-running and possibly non-personalized service-account credentials.
@xanonid xanonid added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Jul 15, 2020
@shubha-rajan shubha-rajan added the priority: p3 Desirable enhancement or fix. May not be included in next release. label Jul 15, 2020
@enocom enocom removed their assignment Feb 26, 2021
@red8888
Copy link

red8888 commented May 4, 2021

any movement on this? Is it even possible to use impersonation with cloud_sql_proxy? Im not generating static non-expiring keys for my service accounts

@kurtisvg
Copy link
Contributor

kurtisvg commented May 4, 2021

It looks like the SQLAdmin client provides a hook for doing this now: https://pkg.go.dev/google.golang.org/api/option#ImpersonateCredentials

@red8888
Copy link

red8888 commented Sep 2, 2021

Is there any updates or status on this? The only way I have been able to impersonate is with gcloud via gcloud config set auth/impersonate_service_account <MY_SERVICE_ACCOUNT>

The support for this is so poor. Can I run gcloud auth print-access-token --impersonate-service-account=<MY_SERVICE_ACCOUNT> and set an env var to the access token or something?

@enocom enocom added priority: p2 Moderately-important priority. Fix may not be included in next release. and removed priority: p3 Desirable enhancement or fix. May not be included in next release. labels Sep 7, 2021
@enocom
Copy link
Member

enocom commented Sep 7, 2021
edited

Bumping up the priority on this. Right now there's not a good built-in way to do this.

For people who didn't see the StackOverflow post, a current workaround looks like this:

cloud_sql_proxy --instances=<instanceName>=tcp:3306 \
  --token=$(gcloud auth print-access-token --impersonate-service-account=<service account>)

@enocom enocom mentioned this issue Sep 7, 2021
Closed
@enocom
Copy link
Member

enocom commented Sep 10, 2021

We're presently working on a v2 of the proxy, which will include a new dialer as well. We plan to add support for impersonating an account there (see the tracking issue linked above for progress).

@enocom enocom added the v2 label Dec 2, 2021
@JonasHedEng
Copy link

Are there any updates on whether this might be supported in v2? I couldn't find any reference of it when looking at the tracking issue. Thanks!

@enocom enocom added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. and removed priority: p2 Moderately-important priority. Fix may not be included in next release. labels Aug 31, 2022
@enocom
Copy link
Member

enocom commented Aug 31, 2022

Yes, we will support this in v2. With the new Go Connector this is an easy fix.

@enocom
Copy link
Member

enocom commented Aug 31, 2022

Looking at this again, there's a new API that will return a token source with impersonated credentials.

https://pkg.go.dev/google.golang.org/api@v0.94.0/impersonate

So in effect, we'd just need to expose some CLI flags to configure that token source and be good.

@enocom
Copy link
Member

enocom commented Sep 12, 2022

Thinking about CLI flags, I think the proxy would only need to expose TargetPrincipal and Delegates here: https://pkg.go.dev/google.golang.org/api@v0.94.0/impersonate#CredentialsConfig.

The proxy knows the necessary Scopes. Lifetime has a good default. And Subject seems unnecessary for our use case here.

@enocom enocom added priority: p0 Highest priority. Critical issue. P0 implies highest priority. and removed priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Sep 12, 2022
@enocom
Copy link
Member

enocom commented Sep 12, 2022

Bumping the priority up since there's a lot of interest here.

@enocom enocom self-assigned this Sep 24, 2022
enocom added a commit that referenced this issue Oct 7, 2022
@enocom
feat: add support for impersonation
64e4987 
Fixes #417
@enocom enocom mentioned this issue Oct 7, 2022
Merged
enocom added a commit that referenced this issue Oct 7, 2022
@enocom
feat: add support for impersonation
abe1d79 
Fixes #417
enocom added a commit that referenced this issue Oct 12, 2022
@enocom
feat: add support for impersonation
bf71026 
Fixes #417
enocom added a commit that referenced this issue Oct 14, 2022
@enocom
feat: add support for impersonation (#1460)
d0f8e55 
Fixes #417
@release-please release-please bot mentioned this issue Oct 14, 2022
Merged
@enocom
Copy link
Member

enocom commented Oct 14, 2022

We'll have this in the next release which we'll cut before next month.

@p13rr0m p13rr0m mentioned this issue May 10, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@enocom enocom

Labels
priority: p0 Highest priority. Critical issue. P0 implies highest priority. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
6 participants
@enocom @JonasHedEng @red8888 @xanonid @shubha-rajan @kurtisvg