Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users can't specify non-default scopes for code running on GKE Workload Identity (and possibly AppEngine flex) #458

Closed
ahmedtd opened this issue Aug 8, 2020 · 0 comments · Fixed by #514
Closed

Users can't specify non-default scopes for code running on GKE Workload Identity (and possibly AppEngine flex) #458

ahmedtd opened this issue Aug 8, 2020 · 0 comments · Fixed by #514
Assignees
@arithmetic1728
Labels
feature fix priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. semver: minor A new feature was added. No breaking changes. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@ahmedtd
Copy link

ahmedtd commented Aug 8, 2020

The ComputeEngineCredentials class is used for pulling access and identity tokens when the library is running on GCE, GKE Workload Identity, and AppEngine flex. It doesn't support setting scopes on the resulting access token, because on GCE scopes are handled by assigning them to the VM.

However, this isn't the case on GKE Workload Identity (and possibly AppEngine flex, I am still confirming this). In this environment, there is no concept of a scope lock or default scopes for the access token. Instead the metadata server accepts a ?scopes query parameter on the /computeMetadata/v1/instance/service-accounts/default/token request and creates an access token with the requested scopes.

If no ?scopes are specified, then the returned access tokens has a hardcoded default set of scopes (cloud-platform and userInfo.email).

This means that users of ComputeEngineCredentials don't have a way to use non-cloud Google APIs when running on GKE Workload Identity, since non-cloud APIs are not included in the cloud-platform access scope.

The GCE Metadata Server accepts the ?scopes parameter without complaint, but ignores it.

I'd like to extend the ComputeEngineCredentials class with a createScoped implementation that will make a new ComputeEngineCredentials instance that passes the ?scopes query parameter, so that code like this will work when running on GKE Workload Identity:

GoogleCredentials.getApplicationDefault().createScoped("https://www.googleapis.com/auth/androidpublisher");
@ahmedtd ahmedtd mentioned this issue Aug 8, 2020
Closed
@yoshi-automation yoshi-automation added the triage me I really want to be triaged. label Aug 8, 2020
@elharo elharo added feature fix priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. semver: minor A new feature was added. No breaking changes. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. and removed triage me I really want to be triaged. labels Aug 10, 2020
@arithmetic1728 arithmetic1728 mentioned this issue Dec 9, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arithmetic1728 arithmetic1728

Labels
feature fix priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. semver: minor A new feature was added. No breaking changes. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: allow custom scopes for compute engine creds googleapis/google-auth-library-java
5 participants
@silvolu @elharo @ahmedtd @yoshi-automation @arithmetic1728