Skip to content

Commit

Permalink
feat(storage): support auto-detection of access ID for external_accou…
Browse files Browse the repository at this point in the history
…nt creds (#9208)
  • Loading branch information
BrennaEpp committed Feb 1, 2024
1 parent 29a7498 commit b958d44
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 12 deletions.
30 changes: 18 additions & 12 deletions storage/bucket.go
Original file line number Diff line number Diff line change
Expand Up @@ -275,18 +275,24 @@ func (b *BucketHandle) detectDefaultGoogleAccessID() (string, error) {
err := json.Unmarshal(b.c.creds.JSON, &sa)
if err != nil {
returnErr = err
} else if sa.CredType == "impersonated_service_account" {
start, end := strings.LastIndex(sa.SAImpersonationURL, "/"), strings.LastIndex(sa.SAImpersonationURL, ":")

if end <= start {
returnErr = errors.New("error parsing impersonated service account credentials")
} else {
return sa.SAImpersonationURL[start+1 : end], nil
}
} else if sa.CredType == "service_account" && sa.ClientEmail != "" {
return sa.ClientEmail, nil
} else {
returnErr = errors.New("unable to parse credentials; only service_account and impersonated_service_account credentials are supported")
switch sa.CredType {
case "impersonated_service_account", "external_account":
start, end := strings.LastIndex(sa.SAImpersonationURL, "/"), strings.LastIndex(sa.SAImpersonationURL, ":")

if end <= start {
returnErr = errors.New("error parsing external or impersonated service account credentials")
} else {
return sa.SAImpersonationURL[start+1 : end], nil
}
case "service_account":
if sa.ClientEmail != "" {
return sa.ClientEmail, nil
}
returnErr = errors.New("empty service account client email")
default:
returnErr = errors.New("unable to parse credentials; only service_account, external_account and impersonated_service_account credentials are supported")
}
}
}

Expand All @@ -302,7 +308,7 @@ func (b *BucketHandle) detectDefaultGoogleAccessID() (string, error) {
}

}
return "", fmt.Errorf("storage: unable to detect default GoogleAccessID: %w. Please provide the GoogleAccessID or use a supported means for autodetecting it (see https://pkg.go.dev/cloud.google.com/go/storage#hdr-Credential_requirements_for_[BucketHandle.SignedURL]_and_[BucketHandle.GenerateSignedPostPolicyV4])", returnErr)
return "", fmt.Errorf("storage: unable to detect default GoogleAccessID: %w. Please provide the GoogleAccessID or use a supported means for autodetecting it (see https://pkg.go.dev/cloud.google.com/go/storage#hdr-Credential_requirements_for_signing)", returnErr)
}

func (b *BucketHandle) defaultSignBytesFunc(email string) func([]byte) ([]byte, error) {
Expand Down
35 changes: 35 additions & 0 deletions storage/bucket_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1211,6 +1211,41 @@ func TestDetectDefaultGoogleAccessID(t *testing.T) {
},
expectSuccess: false,
},
{
name: "malformed creds",
serviceAccount: "default@my-project.iam.gserviceaccount.com",
creds: func(sa string) string {
return fmt.Sprintf(`{
"type": "service_account"
"project_id": "my-project",
"private_key_id": "my1",
"private_key": "-----BEGIN PRIVATE KEY-----\nkey\n-----END PRIVATE KEY-----\n",
"client_email": "%s",
}`, sa)
},
expectSuccess: false,
},
{
name: "external creds",
serviceAccount: "default@my-project.iam.gserviceaccount.com",
creds: func(sa string) string {
return fmt.Sprintf(`{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"environment_id": "id",
"region_url": "region_url",
"url": "url",
"regional_cred_verification_url": "ver_url",
"imdsv2_session_token_url": "tok_url"
}
}`, sa)
},
expectSuccess: true,
},
}

for _, tc := range testCases {
Expand Down

0 comments on commit b958d44

Please sign in to comment.