Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Google connector ADC implementation within GKE environments #2680

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

ichbinfrog
Copy link
Contributor

Overview

Adapt the google connector for using application default credentials in GKE.

What this PR does / why we need it

Closes #2676

Upon further testing in a GKE cluster, this line seems to return an empty JSON credential and therefore making ADC login fail. The default behavior for the google.FindDefaultCredentials function is the following:

On Google Compute Engine, Google App Engine standard second generation runtimes (>= Go 1.11), and Google App Engine flexible environment, it fetches credentials from the metadata server.

The credential.JSON is empty in GKE environments, thus the error. In order to fetch the credentials (token) from the metadata server, the only method I found which worked did not return a PERMISSION_DENIED is to use the flow defined in the impersonate package:

  • The base Application Default Credentials is used (SA1)
  • That service account (SA1) is then used to impersonate the service account designated by the targetPrincipal field (SA2)
  • SA2's token source is then used to impersonate the Google Workspace super user designated by adminEmail

TBH, I'm not sure if this is the canonical way of doing it and I've raised a question here googleapis/google-api-go-client#1698.

Special notes for your reviewer

Does this PR introduce a user-facing change?


@nabokihms nabokihms added the release-note/bug-fix Release note: Bug Fixes label Sep 23, 2022
@nabokihms nabokihms added this to the v2.34.1 milestone Sep 23, 2022
@nabokihms
Copy link
Member

@ichbinfrog Before starting the review process, I have a little question. Did it work previously on GKE and GCP without specifying a service account path (without groups)?

@ichbinfrog
Copy link
Contributor Author

@nabokihms during my initial tests it worked on GKE. However, I realized when the issue was submitted that I had a residual json key in the container which was picked up by the google.FindDefaultCredentials function so authentication still used the JSON credentials instead of workload identity.

@sagikazarmark sagikazarmark modified the milestones: v2.34.1, v2.35.0, v2.36.0 Sep 28, 2022
@ichbinfrog ichbinfrog marked this pull request as ready for review November 16, 2022 13:34
@nabokihms nabokihms modified the milestones: v2.36.0, v2.37.0 Mar 6, 2023
@sagikazarmark sagikazarmark modified the milestones: v2.37.0, v2.38.0 May 12, 2023
@sagikazarmark sagikazarmark modified the milestones: v2.38.0, v2.39.0 Jan 25, 2024
@nabokihms nabokihms removed this from the v2.39.0 milestone Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/bug-fix Release note: Bug Fixes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Google connector with ADC: unexpected end of JSON input
3 participants