fix: disallow auto-iam-authn with gcloud-auth (#1762)

This combination is insecure because it puts an OAuth2 token with broader scoped access than necessary into the ephemeral certificate. Because gcloud-auth is a legacy flag, it is generally discouraged. This commit also adds a note to make that clear and provides a clear alternative using Application Default Credentials. Fixes #1754 Co-authored-by: Jack Wotherspoon <[email protected]>
GoogleCloudPlatform · Apr 20, 2023 · 8200abe · 8200abe
1 parent b8c72f3
commit 8200abe
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/cmd/root.go b/cmd/root.go
@@ -377,7 +377,11 @@ func NewCommand(opts ...Option) *Command {
 	pflags.StringVarP(&c.conf.CredentialsJSON, "json-credentials", "j", "",
 		"Use service account key JSON as a source of IAM credentials.")
 	pflags.BoolVarP(&c.conf.GcloudAuth, "gcloud-auth", "g", false,
-		"Use gcloud's user credentials as a source of IAM credentials.")
+		`Use gcloud's user credentials as a source of IAM credentials.
+NOTE: this flag is a legacy feature and generally should not be used.
+Instead prefer Application Default Credentials
+(enabled with: gcloud auth application-default login) which
+the Proxy will then pick-up automatically.`)
 	pflags.BoolVarP(&c.conf.StructuredLogs, "structured-logs", "l", false,
 		"Enable structured logging with LogEntry format")
 	pflags.Uint64Var(&c.conf.MaxConnections, "max-connections", 0,
@@ -522,6 +526,11 @@ func parseConfig(cmd *Command, conf *proxy.Config, args []string) error {
 	if conf.IAMAuthN && conf.Token != "" && conf.LoginToken == "" {
 		return newBadCommandError("cannot specify --auto-iam-authn and --token without --login-token")
 	}
+	if conf.IAMAuthN && conf.GcloudAuth {
+		return newBadCommandError(`cannot use --auto-iam-authn with --gcloud-auth.
+Instead use Application Default Credentials (enabled with: gcloud auth application-default login)
+and re-try with just --auto-iam-authn`)
+	}
 	if conf.LoginToken != "" && (conf.Token == "" || !conf.IAMAuthN) {
 		return newBadCommandError("cannot specify --login-token without --token and --auto-iam-authn")
 	}

diff --git a/cmd/root_test.go b/cmd/root_test.go
@@ -951,6 +951,12 @@ func TestNewCommandWithErrors(t *testing.T) {
 				"--token", "my-token",
 				"--gcloud-auth", "proj:region:inst"},
 		},
+		{
+			desc: "when both gcloud auth and auto-iam-authn are set",
+			args: []string{
+				"--auto-iam-authn",
+				"--gcloud-auth", "proj:region:inst"},
+		},
 		{
 			desc: "when both gcloud auth and credentials file are set",
 			args: []string{