gravitational · Tener · Jan 11, 2023 · Jan 3, 2023
diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/proto/teleport/legacy/client/proto/authservice.proto b/api/proto/teleport/legacy/client/proto/authservice.proto
@@ -324,6 +324,8 @@ message RouteToApp {
   string AWSRoleARN = 5 [(gogoproto.jsontag) = "aws_role_arn,omitempty"];
   // AzureIdentity is the Azure identity to assume when accessing Azure API.
   string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity,omitempty"];
+  // GCPServiceAccount is the GCP service account to assume when accessing GCP API.
+  string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account,omitempty"];
 }
 
 // GetUserRequest specifies parameters for the GetUser method.
@@ -706,6 +708,8 @@ message CreateAppSessionRequest {
   string AWSRoleARN = 5 [(gogoproto.jsontag) = "aws_role_arn"];
   // AzureIdentity is Azure identity the user wants to assume.
   string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity"];
+  // GCPServiceAccount is the GCP service account the user wants to assume.
+  string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account"];
 }
 
 // CreateAppSessionResponse contains the requested application web session.

diff --git a/api/proto/teleport/legacy/types/events/events.proto b/api/proto/teleport/legacy/types/events/events.proto
@@ -75,11 +75,14 @@ message UserMetadata {
   // AWSRoleARN is AWS IAM role user assumes when accessing AWS console.
   string AWSRoleARN = 4 [(gogoproto.jsontag) = "aws_role_arn,omitempty"];
 
-  // AzureIdentity is the Azure identity to assume when accessing Azure API.
-  string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity,omitempty"];
-
   // AccessRequests are the IDs of access requests created by the user
   repeated string AccessRequests = 5 [(gogoproto.jsontag) = "access_requests,omitempty"];
+
+  // AzureIdentity is the Azure identity user assumes when accessing Azure API.
+  string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity,omitempty"];
+
+  // GCPServiceAccount is the GCP service account user assumes when accessing GCP API.
+  string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account,omitempty"];
 }
 
 // Server is a server metadata
@@ -3287,6 +3290,8 @@ message Identity {
   ];
   // AzureIdentities is a list of allowed Azure identities user can assume.
   repeated string AzureIdentities = 24 [(gogoproto.jsontag) = "azure_identities,omitempty"];
+  // GCPServiceAccounts is a list of allowed GCP service accounts user can assume.
+  repeated string GCPServiceAccounts = 25 [(gogoproto.jsontag) = "gcp_service_accounts,omitempty"];
 }
 
 // RouteToApp contains parameters for application access certificate requests.
@@ -3303,6 +3308,8 @@ message RouteToApp {
   string AWSRoleARN = 5 [(gogoproto.jsontag) = "aws_role_arn,omitempty"];
   // AzureIdentity is the Azure identity ot assume when accessing Azure API.
   string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity,omitempty"];
+  // GCPServiceAccount is the GCP service account to assume when accessing GCP API.
+  string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account,omitempty"];
 }
 
 // RouteToDatabase combines parameters for database service routing information.

diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -2433,6 +2433,9 @@ message RoleConditions {
     (gogoproto.nullable) = false,
     (gogoproto.jsontag) = "kubernetes_resources,omitempty"
   ];
+
+  // GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
+  repeated string GCPServiceAccounts = 25 [(gogoproto.jsontag) = "gcp_service_accounts,omitempty"];
 }
 
 // KubernetesResource is the Kubernetes resource identifier.

diff --git a/api/types/app.go b/api/types/app.go
@@ -63,6 +63,8 @@ type Application interface {
 	IsAWSConsole() bool
 	// IsAzureCloud returns true if this app represents Azure Cloud instance.
 	IsAzureCloud() bool
+	// IsGCP returns true if this app represents GCP instance.
+	IsGCP() bool
 	// IsTCP returns true if this app represents a TCP endpoint.
 	IsTCP() bool
 	// GetProtocol returns the application protocol.
@@ -242,6 +244,11 @@ func (a *AppV3) IsAzureCloud() bool {
 	return a.Spec.Cloud == CloudAzure
 }
 
+// IsGCP returns true if this app is GCP instance.
+func (a *AppV3) IsGCP() bool {
+	return a.Spec.Cloud == CloudGCP
+}
+
 // IsTCP returns true if this app represents a TCP endpoint.
 func (a *AppV3) IsTCP() bool {
 	return strings.HasPrefix(a.Spec.URI, "tcp://")

diff --git a/api/types/events/events.pb.go b/api/types/events/events.pb.go
diff --git a/api/types/session.go b/api/types/session.go
@@ -323,6 +323,8 @@ type CreateAppSessionRequest struct {
 	AWSRoleARN string `json:"aws_role_arn"`
 	// AzureIdentity is Azure identity this the user wants to assume.
 	AzureIdentity string `json:"azure_identity"`
+	// GCPServiceAccount is GCP service account this the user wants to assume.
+	GCPServiceAccount string `json:"gcp_service_account"`
 }
 
 // Check validates the request.

diff --git a/api/types/types.pb.go b/api/types/types.pb.go