Skip to content

v0.27.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 13 May 22:19
· 62 commits to main since this release
v0.27.0
9cc32f8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

New: GCP Service Account Token Injection

iron-proxy can now authenticate outbound requests to Google Cloud APIs on behalf of your agents. The new gcp_auth transform signs a JWT with a service account keyfile, exchanges it for a short-lived OAuth2 access token, and injects Authorization: Bearer onto matching requests, with no credentials required in agent code.

The keyfile can be loaded from disk or from any registered secret source (env, aws_sm, aws_ssm, 1password, 1password_connect) using a nested keyfile: block. Tokens are cached and refreshed automatically via golang.org/x/oauth2/google. By default, a token-mint failure causes the request to be rejected with 403; set fallback: skip to pass through unauthenticated instead.

transforms:
  - name: gcp_auth
    config:
      keyfile_path: "/etc/iron-proxy/gcp-sa.json"
      scopes:
        - "https://www.googleapis.com/auth/cloud-platform"
      rules:
        - host: "*.googleapis.com"

# Or load the keyfile from a secret source:
  - name: gcp_auth
    config:
      keyfile:
        type: 1password_connect
        secret_ref: "op://Engineering/GCP-SA/credential"
      scopes:
        - "https://www.googleapis.com/auth/cloud-platform"
      rules:
        - host: "*.googleapis.com"

Changelog

  • 9cc32f8 feat(gcpauth): inject GCP service account OAuth2 tokens via MITM (#115)
Assets 8
Loading