Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIF support for GCP auth engine #204

Merged
merged 6 commits into from
May 9, 2024
Merged

WIF support for GCP auth engine #204

merged 6 commits into from
May 9, 2024

Conversation

vinay-gopalan
Copy link
Contributor

@vinay-gopalan vinay-gopalan commented Apr 27, 2024
edited
Loading

This PR adds plugin WIF support to the GCP auth engine. This adds the following new fields to the config endpoint to enable configuring Workload Identity Federation:

  • identity_token_audience
  • identity_token_ttl
  • service_account_email

The PR adds the PluginIdentityTokenSupplier Credential Provider that fetches a plugin identity token from Vault and passes it to an external account Token Source for a valid federated credential exchange. The PR also pulls in the latest tag v0.9.0 for the go-gcp-common library with WIF utils.

fairclothjm
fairclothjm reviewed May 8, 2024
View reviewed changes
plugin/backend.go Outdated Show resolved Hide resolved
fairclothjm
fairclothjm reviewed May 8, 2024
View reviewed changes
plugin/backend.go
var _ externalaccount.SubjectTokenSupplier = (*PluginIdentityTokenSupplier)(nil)

func (p *PluginIdentityTokenSupplier) SubjectToken(ctx context.Context, opts externalaccount.SupplierOptions) (string, error) {
p.logger.Info("fetching new plugin identity token")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I would make this debug level or maybe even trace.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opted to keep this particular line at the Info level to be consistent with the AWS and Azure implementations

Zlaticanin
Zlaticanin approved these changes May 9, 2024
View reviewed changes
Copy link

@Zlaticanin Zlaticanin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Great work on this! I was able to go through the workflow and everything works as expected. 👏

@vinay-gopalan
Copy link
Contributor Author

Thanks!

@vinay-gopalan vinay-gopalan merged commit bd3bf14 into main May 9, 2024
5 checks passed
@vinay-gopalan vinay-gopalan deleted the VAULT-25152/gcp-auth-wif branch May 9, 2024 20:39
@shinji62 shinji62 mentioned this pull request Oct 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm approved these changes

@Zlaticanin Zlaticanin Zlaticanin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vinay-gopalan @fairclothjm @Zlaticanin