Add stub method to remove creds from instance metadata, if an overrid…

…e service account is used.
DataBiosphere · Dec 7, 2017 · a80bbf2 · a80bbf2
1 parent f6399ea
commit a80bbf2
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/leonardo/monitor/ClusterMonitorActor.scala b/src/main/scala/org/broadinstitute/dsde/workbench/leonardo/monitor/ClusterMonitorActor.scala
@@ -127,6 +127,9 @@ class ClusterMonitorActor(val cluster: Cluster,
       // Only happens if the cluster was created with a service account other
       // than the compute engine default service account.
       _ <- removeIamRolesForUser
+      // Remove credentials from instance metadata.
+      // Only happens if an override service account was used.
+      _ <- removeCredentialsFromMetadata
       // Add Staging Bucket ACLs to the override service account.
       // Only happens if an override service account was localized onto the cluster.
       _ <- gdDAO.setStagingBucketOwnership(cluster)
@@ -277,4 +280,18 @@ class ClusterMonitorActor(val cluster: Cluster,
         case Right(_) => throw ClusterNotReadyException(cluster.googleProject, cluster.clusterName)
       }
   }
+
+  private def removeCredentialsFromMetadata: Future[Unit] = {
+    cluster.serviceAccountInfo.overrideServiceAccount match {
+      // No override service account: don't remove creds from metadata! We need them.
+      case None => Future.successful(())
+
+      // Remove credentials from instance metadata.
+      // We want to ensure that _only_ the override service account is used;
+      // users should not be able to yank the cluster SA credentials from the metadata server.
+      case Some(_) =>
+        // TODO https://broadinstitute.atlassian.net/browse/GAWB-2961
+        Future.successful(())
+    }
+  }
 }