Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use golang/oauth2, no longer require client_secrets.json, and use #1679

Merged
merged 1 commit into from Nov 24, 2014

Conversation

@evandbrown
Copy link
Contributor

@evandbrown evandbrown commented Nov 18, 2014

This proposal provides 2 security enhancements for the GCE Builder and simplifies the user experience as a result. The replacement of goauth2 with golang/oauth enables these changes:

  1. Compute Engine Service Accounts are supported: If a user runs the GCE builder from a GCE Instance that has service accounts enabled with the correct scopes (and their Packer config file does not specify an account_file), they do not need a private key/account.json file - auth and token exchange are handled by the GCE instance's local metadata service. This eliminates the need for a customer to deploy a secret along with Packer - no creds required!
  2. client_secrets.json is no longer required: This file was previously used only to extract the URIs for auth and token exchange. This functionality is baked into golang/oauth, and removing this as a required file means one less secret file a user has to create and manage. Note: the client_secrets key is no longer supported in the Packer config file and results in an error if present. Customers should be encouraged to update their config and delete that file as part of upgrading to this release.

The patch also updates black box tests to use a current Deb image and confirm to the new "no client_secrets.json" requirement.

@erjohnso erjohnso self-assigned this Nov 21, 2014
Service Account when run from a GCE Instance.
@erjohnso
Copy link
Collaborator

@erjohnso erjohnso commented Nov 24, 2014

Thanks @evandbrown - LGTM.

erjohnso added a commit that referenced this pull request Nov 24, 2014
Use golang/oauth2, no longer require client_secrets.json, and use
@erjohnso erjohnso merged commit 87001db into hashicorp:master Nov 24, 2014
1 check passed
1 check passed
@mitchellh
continuous-integration/travis-ci The Travis CI build passed
Details
@lamielle
Copy link

@lamielle lamielle commented Nov 24, 2014

@evandbrown Any chance a similar patch will be applied over on the terraform codebase? Seems like the same auth mechanisms are in use there as well.

@sparkprime
Copy link
Contributor

@sparkprime sparkprime commented Nov 26, 2014

@lamielle I'm on it :)

@lamielle
Copy link

@lamielle lamielle commented Nov 26, 2014

Awesome, thanks @sparkprime! Tag me in the PR you submit. I can review the docs (and code to some extend) if that is useful. Let me know if there's anything else that I could help with over on the terraform side!

@hashicorp hashicorp locked and limited conversation to collaborators Apr 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants