-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix GCP auth with service account credentials #1648
Conversation
We are trying to use the provider with SA credentials, but the authentication does not succeed because the required scope is not present in the JWT request: "https://www.googleapis.com/auth/cloud-platform" This scope is mandatory according to the documentation https://developer.hashicorp.com/vault/docs/auth/gcp#gcp-credentials The JWT sign request fails with the following error: ``` {"error":"invalid_scope","error_description":"Invalid OAuth scope or ID token audience provided."} ``` I was able to reproduce this in the TestAuthLoginGCP_Login test, but only after setting the initialized:true setting on the AuthLoginGCP.AuthLoginCommon object. I guess the test is not ran when this value is not positioned. This fixes the JWT token generation, but the provider's call to Vault is rejected because the `credentials` and `service_account` parameters are not expected by the endpoint. I added them to the `copyParamsExcluding` call and changed the expected parameters in the test. I can now run this test with valid credentials: ``` $ GOOGLE_APPLICATION_CREDENTIALS="/tmp/creds.json" TF_ACC_GOOGLE_SERVICE_ACCOUNT="[email protected]" go test -run TestAuthLoginGCP_Login PASS ok github.com/hashicorp/terraform-provider-vault/internal/provider 0.491s ```
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good. Just a suggestion for making scopes a configurable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Thank you for your contribution to HashiCorp!
I know it just got merged... but any idea when it will be released?(I was just facing this same problem 😓 ) |
Sorry to hear you are having the same issue. We haven't set a date for v3.10.1 just yet. It should probably be mid next week at the earliest. |
thanks for the reply!, yeah next week is totally fine 👍 also thanks to @magat for the report and the fix! 🙌 |
Please pardon the delay in getting this fix out. It will go out in tomorrow's v3.11.0 release. |
We are trying to use the provider with SA credentials, but the authentication does not succeed because the required scope is not present in the JWT request: "https://www.googleapis.com/auth/cloud-platform"
This scope is mandatory according to the documentation https://developer.hashicorp.com/vault/docs/auth/gcp#gcp-credentials.
The JWT sign request fails with the following error:
I was able to reproduce this in the
TestAuthLoginGCP_Login
test, but only after setting the initialized:true setting on theAuthLoginGCP.AuthLoginCommon
object. I guess the test is not ran when this value is not positioned.This fixes the JWT token generation, but the provider's call to Vault is rejected because the
credentials
andservice_account
parameters are not expected by the endpoint. I added them to thecopyParamsExcluding
call and changed the expected parameters in the test.I can now run this test with valid credentials (see below).
Community Note
Release note for CHANGELOG:
Output from acceptance testing: