gcloud-cli auth missing #10

ghost · 2023-07-11T16:06:43Z

Environment

sudo-gcp --version
sudo-gcp 0.2.1

Steps to Reproduce

$ cat ./gcloud-tokeninfo
#!/bin/bash
token="${GOOGLE_OAUTH_ACCESS_TOKEN:-"$(gcloud auth print-access-token)"}"
curl --oauth2-bearer "$token" https://openidconnect.googleapis.com/v1/userinfo
echo  # they don't provide a newline ¯\_(ツ)_/¯
curl --oauth2-bearer "$token" https://www.googleapis.com/oauth2/v3/tokeninfo

Expected Result

As implemented in my prototype sudo-gcp:

$ ./sudo-gcp -u packer-build-cli@sns-dev-staging--buckevan.iam.gserviceaccount.com ./gc
loud-tokeninfo
You are authenticated for the next hour as: packer-build-cli@sns-dev-staging--buckevan.iam.gserviceaccount.com
+ ./gcloud-tokeninfo
{
  "sub": "11747330...234366816",
  "picture": "https://lh3.googleusercontent.com/a/default-user\u003ds96-c",
  "email": "packer-build-cli@sns-dev-staging--buckevan.iam.gserviceaccount.com",
  "email_verified": true
}
{
  "azp": "11747330...1234366816",
  "aud": "11747330...1234366816",
  "sub": "11747330...1234366816",
  "scope": "https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.rolemanagement https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.customer https://www.googleapis.com/auth/chrome.management.policy https://www.googleapis.com/auth/admin.directory.userschema https://www.googleapis.com/auth/admin.directory.orgunit https://www.googleapis.com/auth/gmail.settings.sharing https://www.googleapis.com/auth/admin.directory.domain https://www.googleapis.com/auth/gmail.settings.basic https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/sqlservice.login https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/userinfo.email openid",
  "exp": "1689094837",
  "expires_in": "3598",
  "email": "packer-build-cli@sns-dev-staging--buckevan.iam.gserviceaccount.com",
  "email_verified": "true",
  "access_type": "online"
}

Actual Result

$ touch sudo-gcp.toml   # see issue #8 
$ SUDOGCP_SERVICE_ACCOUNT=packer-build-cli@sns-dev-staging--buckevan.iam.gserviceaccount.com ~/.cargo/bin/sudo-gcp ./gcloud-tokeninfo
{
  "error": "invalid_request",
  "error_description": "Invalid Credentials"
}
{
  "azp": "11747330...1234366816",
  "aud": "11747330...1234366816",
  "scope": "https://www.googleapis.com/auth/cloud-platform",
  "exp": "1689094289",
  "expires_in": "2954",
  "access_type": "online"
}

Suggested Fix

Export CLOUDSDK_AUTH_ACCESS_TOKEN in addition to GOOGLE_OAUTH_ACCESS_TOKEN.

The text was updated successfully, but these errors were encountered:

mdtro · 2023-07-11T18:44:23Z

Interesting. We do export CLOUDSDK_AUTH_ACCESS_TOKEN.

sudo-gcp/src/main.rs

Line 73 in 1883e4d

.env("CLOUDSDK_AUTH_ACCESS_TOKEN", access_token.as_ref())

Can you share your script?

ghost added this to the m0: MVP milestone Jul 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gcloud-cli auth missing #10

gcloud-cli auth missing #10

ghost commented Jul 11, 2023

mdtro commented Jul 11, 2023

gcloud-cli auth missing #10

gcloud-cli auth missing #10

Comments

ghost commented Jul 11, 2023

Environment

Steps to Reproduce

Expected Result

Actual Result

Suggested Fix

mdtro commented Jul 11, 2023