Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Google: Add functionality to impersonate GSuite Admin identity without JSON #2122

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

NaurisSadovskis
Copy link

@NaurisSadovskis NaurisSadovskis commented May 15, 2021

Overview

Hi folks, adding an option to impersonate GSuite Admin identity without service account key JSON. This functionality has been recently added as part of google-api-go-client v0.46.0

What this PR does / why we need it

This feature is primarily aimed at folks running within Google Cloud Platform (GCE/GKE):

  • Removes the need for (long-lived) user-managed service account keys when configuring Dex

Addresses: #1756

Special notes for your reviewer

I have not tested this with an actual GSuite tenant, as I don't have one, but can test it sometime next week.

Does this PR introduce a user-facing change?

Add the ability to impersonate GSuite Admin identity without service account JSON when running on Google Cloud Platform

@NaurisSadovskis NaurisSadovskis force-pushed the feature/keyless-gcp-authentication branch from ea8ac5e to 349fbfd Compare May 15, 2021 18:31
// Required if ServiceAccountFilePath
// Recommended when running inside Google Cloud Platform
// Use this instead of ServiceAccountFilePath to use default credentials
UseGoogleDefaultCredentials bool `json:"useGoogleDefaultCredentials"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if impersonation should be the default instead when service account file is not provided.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand your comment correctly, we cannot directly interact with GSuite Admin API with service accounts without a GSuite account impersonation. So regardless of the authentication method (key or no key), we will require to go through impersonation step.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@NaurisSadovskis - did you test this out? We are looking to use workload-identity instead of long-lived keys. when can we expect this to rollout?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if impersonation should be the default instead when service account file is not provided.

This makes sense, I guess in that case we don't need an explicit option for it?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey folks, apologies for not responding earlier. I'll try to test it in the coming weeks.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@NaurisSadovskis - any progress on this?

@sagikazarmark sagikazarmark requested a review from JoelSpeed May 26, 2021 13:08
@frezbo
Copy link

frezbo commented Feb 3, 2022

Anything pending to get this moving forward? happy to contribute

@jetersen
Copy link

I would be happy to test this. @sagikazarmark is it simply docker build -t img .? or is the build process more complex?

Maybe it would be good to share gcloud commands required to setup the service account with impersonation permissions? 😅

@jetersen
Copy link

jetersen commented Feb 23, 2022

Got to

Failed to authenticate: google: could not retrieve groups: could not list groups: Get "https://admin.googleapis.com/admin/directory/v1/groups?alt=json&pageToken=&prettyPrint=false&userKey=user%40company.com": impersonate: status code 404: { "error": { "code": 404, "message": "Requested entity was not found.", "status": "NOT_FOUND" } }

Not sure how I can validate that the service account is working.

Any hints @NaurisSadovskis

@jinnjwu
Copy link

jinnjwu commented May 1, 2022

What is latest status, we need this feature too, we hosting argocd in GKE, there is a service account in work nodes, do not want to paste a service acccount key, because our service account key needs to be rotated.

@renan
Copy link

renan commented May 30, 2024

Is this possible now? To impersonate GSuite Admin using workload identity?

@renan
Copy link

renan commented Jul 1, 2024

I am looking for something similar for Vault and I found this: hashicorp/vault#23983 (comment)

I have yet to try on Dex / Argo CD, but it looks promising!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants