Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supporting impersonated service count (builds on #76) #77

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Supporting impersonated service count (builds on #76) #77

wants to merge 2 commits into from

Conversation

msdrigg
Copy link

@msdrigg msdrigg commented Aug 18, 2023
edited
Loading

This PR adds service account impersonation. It uses a generic Box<dyn ServiceAccount> to get the source token and then uses that token to refresh the impersonated account from the service_account_impersonation_url.

@msdrigg
Supporting service account key format OR user credential formats
925dbba 
This PR supports parsing both formats in either the `GOOGLE_APPLICATION_CREDENTIALS` env variable or the `~/.config/gcloud/application_default_credentials.json` file.
msdrigg
msdrigg commented Aug 18, 2023
View reviewed changes
src/flexible_credential_source.rs
// account specified by `service_account_impersonation_url`.
// refresh logic https://github.com/golang/oauth2/blob/a835fc4358f6852f50c4c5c33fddcd1adade5b0a/google/internal/externalaccount/impersonate.go#L57
#[derive(Deserialize, Debug)]
pub(crate) struct ImpersonatedServiceAccountCredentials {
Copy link
Author

@msdrigg msdrigg Aug 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only weirdness about this PR is that I put the deserialization for ImpersonatedServiceAccount inside the flexible_credential_source file. I did this because in theory the source credentials could be anything (the referenced go sdk source didn't discriminate between what the source credentials were).

If there is a cleaner approach to this, please let me know.

@msdrigg
Adding service account impersonation (waiting on djc#76)
baa65d3 
This PR adds a new `ServiceAccount` format that takes credentials from `source_credentials: ServiceAccount` and then makes a request to get a service account token using those credentials.

This also adds the ability to parse the token format created by `gcloud auth application-default login --impersonate-service-account <service account>`
@msdrigg msdrigg changed the title Supporting impersonated service ccount (depends on #76) Supporting impersonated service count (builds on #76) Aug 18, 2023
@msdrigg
Copy link
Author

msdrigg commented Aug 18, 2023

Tested this PR with real world keys

  • Tested with GOOGLE_APPLICATION_CREDENTIALS and ~/.config/gcloud/application_default_credentials.json and verified the new tagged enum is used in both cases
  • Tested with service account key, user creds, and an impersonated service account and verified that I can make API calls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@msdrigg