Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: service account impersonation with workforce credentials #770

Merged
merged 10 commits into from Oct 21, 2021

Conversation

lsirac
Copy link
Collaborator

@lsirac lsirac commented Oct 13, 2021

While service account impersonation is not commonly used with workforce
pool configurations, there is a bug where the workforcePoolUserProject is not being set on the source credential.

This also lets us align with other languages who added the workforcePoolUserProject to the base class, instead of IdentityPoolCredentials (though it is the only one that currently supports it).

The bug itself is fixed by the refactor. By moving workforcePoolUserProject to be set in the base constructor, it is set before initializeImpersonatedCredentials() is called. A copy of the source credential is then made that has the workforcePoolUserProject set. Prior to this it was not set and the impersonation call resulted in a 403.

@lsirac lsirac requested a review from as a code owner Oct 13, 2021
@google-cla google-cla bot added the cla: yes label Oct 13, 2021
Copy link
Member

@TimurSadykov TimurSadykov left a comment

Some general comments for now. Can you please highlight the bugfix itself? Otherwise refactoring hides it

@lsirac lsirac requested a review from TimurSadykov Oct 19, 2021
Copy link
Member

@TimurSadykov TimurSadykov left a comment

Looks good, couple small comments

@lsirac lsirac requested a review from TimurSadykov Oct 20, 2021
Copy link
Member

@TimurSadykov TimurSadykov left a comment

LGTM

@chanseokoh chanseokoh added the kokoro:force-run label Oct 21, 2021
@kokoro-team kokoro-team removed the kokoro:force-run label Oct 21, 2021
@lsirac lsirac merged commit 6449ef0 into googleapis:main Oct 21, 2021
14 checks passed
@lsirac lsirac deleted the sa_wf branch Oct 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cla: yes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants