Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement GCE application default credentials #416

Merged

Conversation

codenrhoden
Copy link
Contributor

Enhance the GCEPD driver by adding support for application default
credentials. With this patch, A user no longer has to upload or provide
a JSON encoded file with service account credentials, as the GCE client
library will automatically fetch any service account credentials
associated with the GCE instances via the metadata server.

Improve docs to clarify what permissions are required of a service
account, regardless of whether you are providing it via JSON or
metadata lookup.

* The `zone` parameter is optional, and configures the driver to *only* allow
access to the given zone. Creating and listing disks from other zones will be
denied. If a zone is not specified, the zone from the client Instance ID will
be used when creating new disks.
* The `defaultDiskType` parameter is optional, and specified what type of disk
* The `defaultDiskType` parameter is optional, and specifies what type of disk
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @codenrhoden,

This should omit the comma as follows:

The defaultDiskType parameter is optional and specifies what type of disk

The secondary part of the sentence is not a sentence on its own and thus a conjunctive comma is inappropriate.

Engine default service account, create a new service account with the Service
Account Actor role, and create/download a new private key in JSON format. see
[creating a service account](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount)
* The libStorage server must be running on a GCE instance created with a Service
Copy link
Collaborator

@akutz akutz Feb 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @codenrhoden,

@cantbewong suggested the following change:

The libStorage server must be running on a GCE instance created with a Service Account with appropriate permissions, or a Service Account credentials file in JSON format must be supplied. If not using the Compute Engine default Service Account with the Cloud Platform/"all cloud APIs" scope, create a new Service Account via the IAM portal (Service accounts tab). This Service Account requires the Compute Engine/Instance Admin, Compute Engine/Storage Admin, and Project/Service Account Actor roles. Then create/download a new private key in JSON format. see creating a service account for details. Also note that if permissions on a service account are edited, an instance must be restarted to have them take effect.

I'm noting a change to Steve's suggestion:

The REX-Ray service must be restarted in order for permissions changes on a service account to take effect.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, agree with @akutz

@codecov-io
Copy link

codecov-io commented Feb 15, 2017

Codecov Report

Merging #416 into release/0.5.0 will increase coverage by 0.05%.
The diff coverage is n/a.

@@                Coverage Diff                @@
##           release/0.5.0     #416      +/-   ##
=================================================
+ Coverage          30.44%   30.49%   +0.05%     
=================================================
  Files                 29       29              
  Lines               1741     1741              
=================================================
+ Hits                 530      531       +1     
+ Misses              1153     1152       -1     
  Partials              58       58
Impacted Files Coverage Δ
api/types/types_localdevices.go 79.24% <ø> (+1.88%)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d80acc5...5f8d7e2. Read the comment docs.

@codenrhoden codenrhoden force-pushed the enhancement/gce_iam_support branch from 8be4156 to 0bc6491 Compare February 15, 2017 20:49
@codenrhoden
Copy link
Contributor Author

Suggestions implemented. I linked directly to the Service Accounts page within the IAM portal instead of telling you to navigate there.

I also mentioned restarting libStorage instead of REX-Ray -- I try not to reference REX-Ray from libStorage docs.

@codenrhoden codenrhoden force-pushed the enhancement/gce_iam_support branch from 0bc6491 to 3330db5 Compare February 15, 2017 20:52
Enhance the GCEPD driver by adding support for application default
credentials. With this patch, A user no longer has to upload or provide
a JSON encoded file with service account credentials, as the GCE client
library will automatically fetch any service account credentials
associated with the GCE instances via the metadata server.

Improve docs to clarify what permissions are required of a service
account, regardless of whether you are providing it via JSON or
metadata lookup.
@codenrhoden codenrhoden force-pushed the enhancement/gce_iam_support branch from 3330db5 to 5f8d7e2 Compare February 15, 2017 20:56
@cantbewong
Copy link

LGTM

@akutz akutz merged commit e71e826 into thecodeteam:release/0.5.0 Feb 15, 2017
@akutz akutz removed the in progress label Feb 15, 2017
@codenrhoden codenrhoden deleted the enhancement/gce_iam_support branch February 16, 2017 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants