Use golang/oauth2, no longer require client_secrets.json, and use #1679

Merged
merged 1 commit into from Nov 24, 2014

Conversation

Projects
None yet
4 participants
@evandbrown
Contributor

evandbrown commented Nov 18, 2014

This proposal provides 2 security enhancements for the GCE Builder and simplifies the user experience as a result. The replacement of goauth2 with golang/oauth enables these changes:

  1. Compute Engine Service Accounts are supported: If a user runs the GCE builder from a GCE Instance that has service accounts enabled with the correct scopes (and their Packer config file does not specify an account_file), they do not need a private key/account.json file - auth and token exchange are handled by the GCE instance's local metadata service. This eliminates the need for a customer to deploy a secret along with Packer - no creds required!
  2. client_secrets.json is no longer required: This file was previously used only to extract the URIs for auth and token exchange. This functionality is baked into golang/oauth, and removing this as a required file means one less secret file a user has to create and manage. Note: the client_secrets key is no longer supported in the Packer config file and results in an error if present. Customers should be encouraged to update their config and delete that file as part of upgrading to this release.

The patch also updates black box tests to use a current Deb image and confirm to the new "no client_secrets.json" requirement.

@erjohnso erjohnso self-assigned this Nov 21, 2014

Use golang/oauth2, no longer require client_secrets.json, and use
Service Account when run from a GCE Instance.

@sparkprime sparkprime referenced this pull request in hashicorp/terraform Nov 22, 2014

Closed

Remove the client secrets file for Google provider #452

@erjohnso

This comment has been minimized.

Show comment
Hide comment
@erjohnso

erjohnso Nov 24, 2014

Collaborator

Thanks @evandbrown - LGTM.

Collaborator

erjohnso commented Nov 24, 2014

Thanks @evandbrown - LGTM.

erjohnso added a commit that referenced this pull request Nov 24, 2014

Merge pull request #1679 from evandbrown/gce-service-accounts
Use golang/oauth2, no longer require client_secrets.json, and use

@erjohnso erjohnso merged commit 87001db into hashicorp:master Nov 24, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details
@lamielle

This comment has been minimized.

Show comment
Hide comment
@lamielle

lamielle Nov 24, 2014

@evandbrown Any chance a similar patch will be applied over on the terraform codebase? Seems like the same auth mechanisms are in use there as well.

@evandbrown Any chance a similar patch will be applied over on the terraform codebase? Seems like the same auth mechanisms are in use there as well.

@sparkprime sparkprime referenced this pull request in hashicorp/terraform Nov 26, 2014

Closed

Authenticate Terraform using GCE metadata tokens #606

@sparkprime

This comment has been minimized.

Show comment
Hide comment
@sparkprime

sparkprime Nov 26, 2014

Contributor

@lamielle I'm on it :)

Contributor

sparkprime commented Nov 26, 2014

@lamielle I'm on it :)

@lamielle

This comment has been minimized.

Show comment
Hide comment
@lamielle

lamielle Nov 26, 2014

Awesome, thanks @sparkprime! Tag me in the PR you submit. I can review the docs (and code to some extend) if that is useful. Let me know if there's anything else that I could help with over on the terraform side!

Awesome, thanks @sparkprime! Tag me in the PR you submit. I can review the docs (and code to some extend) if that is useful. Let me know if there's anything else that I could help with over on the terraform side!

@sparkprime sparkprime referenced this pull request in hashicorp/terraform Jan 30, 2015

Merged

Port to oauth2, fix #606 #900

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment