From 3cfb4e7d2e853efb0706deeebb9896935d7a5087 Mon Sep 17 00:00:00 2001 From: Emily Ye Date: Mon, 10 Dec 2018 11:04:02 -0800 Subject: [PATCH 1/2] remove explicit project for service account --- plugin/authorizer_gce.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/authorizer_gce.go b/plugin/authorizer_gce.go index d9346a9b..cfe2c97e 100644 --- a/plugin/authorizer_gce.go +++ b/plugin/authorizer_gce.go @@ -140,7 +140,7 @@ func AuthorizeGCE(ctx context.Context, i *AuthorizeGCEInput) error { // Verify instance is running under one of the allowed service accounts. if len(i.boundServiceAccounts) > 0 { // ServiceAccount wraps a call to the GCP IAM API to get a service account. - name := fmt.Sprintf("projects/%s/serviceAccounts/%s", i.project, i.serviceAccount) + name := fmt.Sprintf("projects/-/serviceAccounts/%s", i.serviceAccount) saId, saEmail, err := i.client.ServiceAccount(ctx, name) if err != nil { From 01626ba31d908e0db50749800344a5ac67a6ea73 Mon Sep 17 00:00:00 2001 From: Emily Ye Date: Mon, 10 Dec 2018 11:13:16 -0800 Subject: [PATCH 2/2] add project back into gce authorizer object --- plugin/authorizer_gce.go | 4 ++-- plugin/path_login.go | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/plugin/authorizer_gce.go b/plugin/authorizer_gce.go index cfe2c97e..c0ce98de 100644 --- a/plugin/authorizer_gce.go +++ b/plugin/authorizer_gce.go @@ -5,6 +5,7 @@ import ( "fmt" "strings" + "github.com/hashicorp/errwrap" "github.com/hashicorp/vault/helper/strutil" ) @@ -144,8 +145,7 @@ func AuthorizeGCE(ctx context.Context, i *AuthorizeGCEInput) error { saId, saEmail, err := i.client.ServiceAccount(ctx, name) if err != nil { - return fmt.Errorf("could not find service account %q in project %q: %s", - i.serviceAccount, i.project, err) + return errwrap.Wrapf(fmt.Sprintf("could not find service account %q: {{err}}", i.serviceAccount), err) } if !(strutil.StrListContains(i.boundServiceAccounts, saEmail) || diff --git a/plugin/path_login.go b/plugin/path_login.go index 0ec62478..39adbc7f 100644 --- a/plugin/path_login.go +++ b/plugin/path_login.go @@ -442,7 +442,7 @@ func (b *GcpAuthBackend) pathGceLogin(ctx context.Context, req *logical.Request, metadata.ProjectId, metadata.Zone, metadata.InstanceName, err)), nil } - if err := b.authorizeGCEInstance(ctx, instance, req.Storage, role, loginInfo.EmailOrId); err != nil { + if err := b.authorizeGCEInstance(ctx, metadata.ProjectId, instance, req.Storage, role, loginInfo.EmailOrId); err != nil { return logical.ErrorResponse(err.Error()), nil } @@ -575,7 +575,7 @@ func (b *GcpAuthBackend) pathGceRenew(ctx context.Context, req *logical.Request, if !ok { return errors.New("invalid auth metadata: service_account_id not found") } - if err := b.authorizeGCEInstance(ctx, instance, req.Storage, role, serviceAccountId); err != nil { + if err := b.authorizeGCEInstance(ctx, meta.ProjectId, instance, req.Storage, role, serviceAccountId); err != nil { return fmt.Errorf("could not renew token for role %s: %v", roleName, err) } @@ -631,7 +631,7 @@ func getInstanceMetadataFromAuth(authMetadata map[string]string) (*gcputil.GCEId // authorizeGCEInstance returns an error if the given GCE instance is not // authorized for the role. -func (b *GcpAuthBackend) authorizeGCEInstance(ctx context.Context, instance *compute.Instance, s logical.Storage, role *gcpRole, serviceAccountId string) error { +func (b *GcpAuthBackend) authorizeGCEInstance(ctx context.Context, project string, instance *compute.Instance, s logical.Storage, role *gcpRole, serviceAccountId string) error { httpC, err := b.httpClient(ctx, s) if err != nil { return err @@ -652,8 +652,8 @@ func (b *GcpAuthBackend) authorizeGCEInstance(ctx context.Context, instance *com computeSvc: gceClient, iamSvc: iamClient, }, - serviceAccount: serviceAccountId, - + serviceAccount: serviceAccountId, + project: project, instanceLabels: instance.Labels, instanceSelfLink: instance.SelfLink, instanceZone: instance.Zone,