Skip to content
Permalink
Browse files

fix(internal): don't use self-signed JWT with impersonation (#788)

The limited audience of the base credential will could cause
failures as it would not be able to comunicate with the iam
credentials api if just default scopes were passed.
  • Loading branch information
codyoss committed Jan 29, 2021
1 parent 3b9d19d commit 1dc7dacd54b4b93f5465b71f2ee8c27e59630454
Showing with 25 additions and 15 deletions.
  1. +25 −15 internal/creds.go
@@ -64,28 +64,38 @@ const (

// credentialsFromJSON returns a google.Credentials based on the input.
//
// - If the JSON is a service account and no scopes provided, returns self-signed JWT auth flow
// - Otherwise, returns OAuth 2.0 flow.
// - A self-signed JWT auth flow will be executed if: the data file is a service
// account, no user are scopes provided, an audience is provided, and
// credentials will not be impersonated.
//
// - Otherwise, executes a stanard OAuth 2.0 flow.
func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*google.Credentials, error) {
cred, err := google.CredentialsFromJSON(ctx, data, ds.GetScopes()...)
if err != nil {
return nil, err
}
if len(data) > 0 && len(ds.Scopes) == 0 && (ds.DefaultAudience != "" || len(ds.Audiences) > 0) {
var f struct {
Type string `json:"type"`
// The rest JSON fields are omitted because they are not used.
}
if err := json.Unmarshal(cred.JSON, &f); err != nil {
// Standard OAuth 2.0 Flow
if len(data) == 0 ||
len(ds.Scopes) > 0 ||
(ds.DefaultAudience == "" && len(ds.Audiences) == 0) ||
ds.ImpersonationConfig != nil {
return cred, nil
}

// Check if JSON is a service account and if so create a self-signed JWT.
var f struct {
Type string `json:"type"`
// The rest JSON fields are omitted because they are not used.
}
if err := json.Unmarshal(cred.JSON, &f); err != nil {
return nil, err
}
if f.Type == serviceAccountKey {
ts, err := selfSignedJWTTokenSource(data, ds.DefaultAudience, ds.Audiences)
if err != nil {
return nil, err
}
if f.Type == serviceAccountKey {
ts, err := selfSignedJWTTokenSource(data, ds.DefaultAudience, ds.Audiences)
if err != nil {
return nil, err
}
cred.TokenSource = ts
}
cred.TokenSource = ts
}
return cred, err
}

0 comments on commit 1dc7dac

Please sign in to comment.