-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannont generate Signed URL though google_service_account_access_token #3558
Comments
@salrashid123 I followed your steps and can't repro the Error. Both return the expected outputs. I am using |
yeah, i can still repro this even with
By expected output do you mean an actual signedURL issed by the
The code in https://github.com/terraform-providers/terraform-provider-google/blob/master/google/data_source_storage_object_signed_url.go#L144 looks for a service accoun'ts json file that will perform the actual signing ...but what the impersonated credential that is supposed to do the signing doens't have a cert ...ther's no way it can sign..the only way maybe if the impersonated credential uses the IAM API to 'sign for itself' |
@edwardmedia could you reopen this one? its a pretty uncommon usage but its still an issue |
@edwardmedia I am running into this same issue, trying to deploy forseti on gke using service account impersonation |
Moved away from `google_storage_object_signed_url` as it requires a local json keyfile and I am deploying using service account impersonation. hashicorp/terraform-provider-google#3558
Moved away from `google_storage_object_signed_url` as it requires a local json keyfile and I am deploying using service account impersonation. hashicorp/terraform-provider-google#3558
here is an example of generating signedurl with iamcredentials signblob: https://gist.github.com/salrashid123/b8cb77bd0119f3b48610a4d9f16cb167 in this case, the terraform signedurl function would accept the new parameters below and elect to use iamcredentials instead of the certificate file
there are probably cleaner ways but if the last three prameters are set, youcan use iamcredentials. |
I do see the |
…480) * Updating the way Forseti Server Configuration is retrieved from GCS Moved away from `google_storage_object_signed_url` as it requires a local json keyfile and I am deploying using service account impersonation. hashicorp/terraform-provider-google#3558 * Pinning version of helm provider to ~> v0.10 * Passing helm chart version through the on_gke_end_to_end example to the on_gke module Co-authored-by: Gregg Kowalski <10247435+gkowalski-google@users.noreply.github.com>
I also just ran into this when attempting to run terraform on a GCE instance w/ an associated service account. I unfortunately had to upload a key file and use |
As is, you can use a service account key instead of an I do also see the benefit of not requiring a local key/exposing that potentially in state. We could treat this as a datasource that just calls iam.SignBlob on a URL for the provider credentials, instead of trying to use a local private key. If we added a Work would just entail adding this if-else logic and a function that calls signBlob |
i don't think you an just use the service account name field alone to do this since the actual API could potentially several additional parameter for it to work (eg if the impersonation requires chained delegation, you wouln't know which ones to supply in request |
You seem to want to create a SignedURL without service account key, which can be done by IAMCredential.SignBlob API. Instead of Terraform (which is more a infra tool), can you use gcloud/Python SDK instead? Those tools are more suitable for this type of workflows. |
Note from triage: We're not entirely sure what the best way to handle this is, so will leave it up to the product team to decide how to proceed. However, it does seem like a thing that would reasonably make sense to support in Terraform. @benhxy many Terraform-using companies require Terraform to be used for all API interactions, so a gcloud-based workaround may not be sufficient. |
google_service_account_access_token allows one service account to impersonate another within a template.
However, when used with google_storage_object_signed_url, the impersonated credential lacks a local service account signing object (json cert, .p12, pem) thats used sign.
That is, the following config
when used with
gives a signedurl based off of the source account (not impersonated account
when used with
gives
Baiscally, signedurl expects a local signing key. Potential solution wouldbe to 'remotely sign' via
iamcredentials.signBlob()
as described here:Affected Resource(s)
b/299683703
The text was updated successfully, but these errors were encountered: