Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manage credentials without GCP Service Account as a middleman #87

Open
nazarewk opened this issue Nov 13, 2024 · 1 comment · May be fixed by #88
Open

Manage credentials without GCP Service Account as a middleman #87

nazarewk opened this issue Nov 13, 2024 · 1 comment · May be fixed by #88

Comments

@nazarewk
Copy link

nazarewk commented Nov 13, 2024

I am not sure since when (probably quite recently) it is possible to grant direct resource access to federation principals without using GCP Service Account as a middleman.

It would be great to support this use case here.

When I try to skip service account email annotation I'm getting this error

return nil, fmt.Errorf("%s, %s must set at a time", filepath.Join(annotationDomain, WorkloadIdentityProviderAnnotation), filepath.Join(annotationDomain, TokenExpirationAnnotation))

Which at the same time is wrong (should point to service account annotation, not expiration annotation).

@nazarewk
Copy link
Author

nazarewk commented Nov 13, 2024

I found it could theoretically work if not for parsing project out of Service Account Email

//
// calculate project from service account
//
matches := projectRegex.FindStringSubmatch(*idConfig.ServiceAccountEmail)
project := ""
if len(matches) >= 2 {
project = matches[1] // the group 0 is thw whole match
}

EDIT: and a few more places

nazarewk added a commit to nazarewk/gcp-workload-identity-federation-webhook that referenced this issue Nov 13, 2024
nazarewk added a commit to nazarewk/gcp-workload-identity-federation-webhook that referenced this issue Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant