roachprod: centralized api - secure API access #156764
Description
Problem: The initial authentication method using GCP Identity-Aware Proxy doesn't expose user identity or group membership, making it impossible to implement proper access controls or audit trails. We need a system that supports both human users (with SSO/MFA) and service accounts (for CI/CD), provides token revocation, and enables granular permissions based on team membership.
Solution: Implement CRL's auth provider-based authentication following the design described in the design doc. The system should:
- Support human login via a Device Flow, exchanging tokens for first-party opaque tokens
- Enable service account creation with static, revocable tokens
- Store tokens securely (SHA-256 hashed) with configurable TTLs
- Map the auth provider groups to permissions (e.g., engineering gets access to engineerings cloud accounts)
- Provide token management endpoints for creation, revocation, and inspection
- Log all authentication events for audit purposes
This gives proper identity-aware access control while supporting both interactive and automated use cases.
Jira issue: CRDB-56180
Epic CRDB-49123