Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

authenticating GCP providers with workload identity federation. #8671

Closed
mikhail-khodorovskiy opened this issue Mar 11, 2021 · 13 comments
Closed

Comments

@mikhail-khodorovskiy
Copy link

mikhail-khodorovskiy commented Mar 11, 2021

If you have a support request or question please submit them to one of these resources:

Is there a way for provider to use
https://pkg.go.dev/golang.org/x/oauth2/google#hdr-Workload_Identity_Federation, specifically using https://cloud.google.com/iam/docs/access-resources-aws when the key was created using

gcloud beta iam workload-identity-pools create-cred-config
projects/project-number/locations/global/workloadIdentityPools/pool-id/providers/provider-id
--service-account=service-account-email
--output-file=filepath
--aws

and

GOOGLE_APPLICATION_CREDENTIALS points to the output file.

References

  • b/182512166
@venkykuberan venkykuberan self-assigned this Mar 11, 2021
@venkykuberan
Copy link
Contributor

Have you tried using the creds created by the command ?. I don't have an AWS setup to test it, Please try running the provider with the creds created and let us know the behavior.

@slevenick
Copy link
Collaborator

We currently support impersonating service accounts using OAuth 2 tokens. Does this work for your use case?

@upodroid
Copy link
Contributor

The oauth2 module is old.

 REDACTED  MCW0CDP3YY  ~  go  …  github.com  hashicorp  terraform-provider-google   ⚓ 6e2b7c8e6  $    git status
HEAD detached at v3.59.0
nothing to commit, working tree clean
 REDACTED  MCW0CDP3YY  ~  go  …  github.com  hashicorp  terraform-provider-google   ⚓ 6e2b7c8e6  $    go list -m golang.org/x/oauth2
golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5

Correct version is mentioned at https://cloud.google.com/iam/docs/access-resources-aws#generate-automatic

@ghost ghost removed waiting-response labels Mar 15, 2021
@upodroid
Copy link
Contributor

One caveat is that the JSON file must be set via the GOOGLE_APPLICATION_CREDENTIALS.

func (c *Config) GetCredentials(clientScopes []string) (googleoauth.Credentials, error) {

DefaultTokenSource calls https://pkg.go.dev/golang.org/x/oauth2/google#FindDefaultCredentials which supports Workload Identity Fed.

@upodroid
Copy link
Contributor

@mikhail-khodorovskiy This should be fixed in v3.61 of the provider which should be coming out soon.

The dependancy was bumped in #8686

@upodroid
Copy link
Contributor

v3.61 of the provider has now been released. Please try it out.

@mikhail-khodorovskiy
Copy link
Author

mikhail-khodorovskiy commented Apr 1, 2021

Using version 3.61 still produces the problem:

Error: Error applying IAM policy for service account 'projects/journi-dev-tools-ef29/serviceAccounts/[email protected]': Error setting IAM policy for service account 'projects/journi-dev-tools-ef29/serviceAccounts/[email protected]': googleapi: Error 400: The member principalSet://iam.googleapis.com/projects/723946056346/locations/global/workloadidentitypools/journi-dev-identity-pool/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage is of an unknown type. Please set a valid type prefix for the member., badRequest

off

provider "google-beta" {
  version = "~> 3.61.0"
  region  = var.region
}

resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {
  provider           = google-beta
  service_account_id = google_service_account.janus.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "principalSet://iam.googleapis.com/projects/${var.tools_project_number}/locations/global/workloadIdentityPools/${var.environment_name}-identity-pool/attribute.aws_role/arn:aws:sts::${var.paired_aws_account_id}:assumed-role/circle-runner-stack-stage"
}

3.62.0 beta provider does not work either.

@upodroid
Copy link
Contributor

upodroid commented Apr 1, 2021

That error has nothing to do with the initial bug report.

It looks like this command is failing for you.

image

Run that with gcloud and see if the error is still happening. You may need to reach out to Google Support if you are unable to do this via gcloud.

@mikhail-khodorovskiy
Copy link
Author

mikhail-khodorovskiy commented Apr 5, 2021

I had an error with id of the pool but even if I fixed it, the gcloud command now works but the google_service_account_iam_member does not:

# role to assume: arn:aws:iam::{aws_account_id}:role/circle-runner-stack-stage
resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {
  count              = length(var.paired_aws_account_id) > 0 ? 1 : 0
  provider           = google-beta
  service_account_id = google_service_account.janus.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "principalSet://iam.googleapis.com/projects/${var.tools_project_number}/locations/global/**workloadIdentityPools**/${local.identity_pool_id}/attribute.aws_role/arn:aws:sts::${var.paired_aws_account_id}:assumed-role/circle-runner-stack-stage"
  depends_on         = [google_iam_workload_identity_pool.identity_pool]
}

Terraform will perform the following actions:

  # module.journi-dev.module.external_service_accounts.google_service_account_iam_member.janus_google_sa_stack_stage_role[0] will be created
  + resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {
      + etag               = (known after apply)
      + id                 = (known after apply)
      + member             = "principalSet://iam.googleapis.com/projects/723946056346/locations/global/workloadIdentityPools/journi-dev-aws-idp/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage"
      + role               = "roles/iam.workloadIdentityUser"
      + service_account_id = "projects/journi-dev-tools-ef29/serviceAccounts/[email protected]"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.journi-dev.module.external_service_accounts.google_service_account_iam_member.janus_google_sa_stack_stage_role[0]: Creating...

Error: Error applying IAM policy for service account 'projects/journi-dev-tools-ef29/serviceAccounts/[email protected]': Error setting IAM policy for service account 'projects/journi-dev-tools-ef29/serviceAccounts/[email protected]': googleapi: Error 400: The member principalSet://iam.googleapis.com/projects/723946056346/locations/global/**workloadidentitypools**/journi-dev-aws-idp/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage is of an unknown type. Please set a valid type prefix for the member., badRequest

  on ../../modules/external_service_accounts/main.tf line 85, in resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role":
  85: resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {

equivalent gcloud command:

 gcloud iam service-accounts add-iam-policy-binding [email protected] --role roles/iam.workloadIdentityUser --member principalSet://iam.googleapis.com/projects/723946056346/locations/global/workloadIdentityPools/journi-dev-aws-idp/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage --project journi-dev-tools-ef29
Updated IAM policy for serviceAccount [[email protected]].
bindings:
- members:
  - serviceAccount:[email protected]
  role: roles/iam.serviceAccountKeyAdmin
- members:
  - principalSet://iam.googleapis.com/projects/723946056346/locations/global/workloadIdentityPools/journi-dev-aws-idp/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage
  role: roles/iam.workloadIdentityUser
etag: BwW_PtpN_vQ=
version: 1

@mikhail-khodorovskiy
Copy link
Author

mikhail-khodorovskiy commented Apr 5, 2021

Looks like somehow the member is called to_lower before submitting to GCP API call where "workloadIdentityPools" needs to stay with case I described.

If I try to use gcloud all lower case, I get the same error as Terraform.

# role to assume: arn:aws:iam::{aws_account_id}:role/circle-runner-stack-stage
resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {
  count              = length(var.paired_aws_account_id) > 0 ? 1 : 0
  provider           = google-beta
  service_account_id = google_service_account.janus.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "principalSet://iam.googleapis.com/projects/${var.tools_project_number}/locations/global/workloadIdentityPools/${local.identity_pool_id}/attribute.aws_role/arn:aws:sts::${var.paired_aws_account_id}:assumed-role/circle-runner-stack-stage"
  depends_on         = [google_iam_workload_identity_pool.identity_pool]
}

workloadIdentityPools can't be lower cased before being submitted to GCP.

@upodroid
Copy link
Contributor

upodroid commented Apr 5, 2021

yeah, that is a known issue #7852 . It is being worked on

@upodroid
Copy link
Contributor

upodroid commented May 7, 2021

@rileykarson We can close this now. Both issues have been fixed.

@github-actions
Copy link

github-actions bot commented Jun 7, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants