-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate UrlSigner support for ComputeCredential #2316
Comments
Initial investigation:
(I'm not giving up yet though.) |
Thank you. The first option requires local management of the service account credentials including rotation of private key and re-deployment of the renewal credentials to running instances. Therefore, it isn't good for production. |
I've asked internally whether this is feasible; I'll update this issue when I hear back. |
Okay, I've been looking into this a bit more, and I've worked out a way that I believe will work, but I want to see whether it'll be useful to you or not before I implement it. The IAM API has a SignBlob method which I believe will create the appropriate signature that
You could either create a service account specifically for URL signing, and grant access to the default Compute Engine service account, or you could use the metadata API to discover the default Compute Engine service account and use the directly. With the first option you'd have to specify the account to use as part of your application configuration. I'm prototyping this now just to prove that it works, and I'll update this issue with a link to a "not for submission" PR if it does. |
Example of how we might solve googleapis#2316.
Okay, I've prototyped it in #2325. The changes in We might then encapsulate that code in a separate package; it would probably depend on demand. I was able to use this to sign a URL with a different service account than the one I was authenticated as; I had to:
Please let me know whether this meets your needs. If it does, I'll make the production code changes "properly" (comments, tests etc) and then create another release. |
@jskeet it sounds as a solution. if the role of "Service Account Token Creator" is the only addition beside "Cloud Storage Editor" role that the service account requires, I think it should be safe enough to grant it. |
@minherz: Great! Glad it sounds like this could work for you. Let me know if you run into any problems building my commit - the tricky bit is likely to be that you'll need to deploy the locally-modified version of Google.Cloud.Storage.V1 with blob signer part. |
@sjkeet is it possible to retrieve a default (for current instance) service account id instead of getting it explicitly? |
@minherz: You'd have to explicitly fetch it from the metadata service. We could potentially include code to do that, but for the moment this documentation is the appropriate starting point, I think. |
@jskeet: means there is no dotnet support for the metadata REST API? |
There's Google.Cloud.Metadata.V1 - it's in alpha, but it may do what you need; I haven't tried it for this purpose. (It's mostly been in alpha for organizational reasons. We could definitely put some more time into reviewing the API, promoting it to beta, and then eventually to GA. We haven't seen much need for it before, but this could be a good use for it.) |
(And if that's a good starting point but doesn't quite have the functionality it should, we could look into implementing the relevant functionality.) |
I cannot add it to my solution. Executing |
Hmm... I'm not sure where that error's coming from; I've just tried it myself and it worked. On the other hand, it has some very old dependencies. I'll look at getting that updated, and see whether it does provide service account access. I don't know offhand whether you need an access token to access the metadata server; I suspect you don't given that if you're running on GCE it "knows" which instance it's from. I suspect you just want to create a new |
It looks like if you can get var metadataClient = MetadataClient.Create();
var metadata = metadataClient.GetInstanceMetadata();
var serviceAccountEmail = metadata.ServiceAccounts.FirstOrDefault()?.Email; I'll try that in Cloud Shell and see whether it does what I'd expect... then update its dependencies and release either another alpha or possibly a beta. (That won't be this week though; it's near the end of the day in the UK and I'm on vacation tomorrow. I can do the quick experiment today, but not the rest.) |
NP. Thank you. |
Hmm... that didn't fetch any service accounts at all. Will need to look more closely... |
Hmm. For some reason, running this:
shows me the service account email, but this (which is what the library does):
... doesn't include the service accounts. I'll have to ask about that internally. So for now, I'd recommend just fetching the first URL with a newly-minted |
It seems that the service account also requires |
I'm afraid I don't quite follow what you've done or where the problem is. Are you able to share what you've done? |
Sorry, it seems that a GCE instance i was testing on wasn't bound to the right service account. The role that you described ("Service Account Token Creator") grants this permission. |
Is it right to use HTTP to retrieve metadata? |
off-topic question, is it possible to get |
@minherz: Yes, I believe that using HTTP is fine. It's all within Google's infrastructure, and I believe it will be encrypted on the wire anyway. I don't believe it's possible to create a You mentioned earlier that you hadn't needed my modifications to |
I meant that as part of our solution I cannot propose them to use a cloned version of the library. That's why instead of incorporating a change inside |
Example of how we might solve googleapis#2316.
Example of how we might solve googleapis#2316.
Example of how we might solve googleapis#2316.
This addresses googleapis#2316 by creating a seam for the signing part of UrlSigner. In the future we may want to release a package specifically to make the IAM integration simple, but for the moment we've just got a sample in the docs. (Another possibility would be to add a dependency on the IAM package and include the IAM signer here, but I'd prefer not to do that.)
Just to come back on the "service accounts from the metadata server" part - while it doesn't show in Cloud Shell, executing this: $ curl http://169.254.169.254/computeMetadata/v1/instance/?recursive=true ... on a "regular" VM does show the service accounts. So you could use the Metadata package for that if you want - but for just this, it's probably equally simple to fetch the value directly. |
Thank you. As i wrote, i have a problem using metadata client library Nuget package for some reason. We also can have a regulatory problem to approve the use of alfa package. However, the following simple code replaces the need for the package: var c = new HttpClient();
c.DefaultRequestHeaders.Add("Metadata-Flavor", "Google");
serviceId = await c.GetStringAsync("http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email"); Thank you again, for the all help. If the changes (from #2325) can be added into Google.Cloud.Storage.V1, we gladly will migrate from the custom solution. |
This addresses googleapis#2316 by creating a seam for the signing part of UrlSigner. In the future we may want to release a package specifically to make the IAM integration simple, but for the moment we've just got a sample in the docs. (Another possibility would be to add a dependency on the IAM package and include the IAM signer here, but I'd prefer not to do that.)
This addresses googleapis#2316 by creating a seam for the signing part of UrlSigner. In the future we may want to release a package specifically to make the IAM integration simple, but for the moment we've just got a sample in the docs. (Another possibility would be to add a dependency on the IAM package and include the IAM signer here, but I'd prefer not to do that.)
This addresses #2316 by creating a seam for the signing part of UrlSigner. In the future we may want to release a package specifically to make the IAM integration simple, but for the moment we've just got a sample in the docs. (Another possibility would be to add a dependency on the IAM package and include the IAM signer here, but I'd prefer not to do that.)
The change is now merged; I'll look into doing a new release shortly. |
This is now released as 2.2.0-beta02. I don't think there's anything really stopping us from going to GA with it as 2.2.0, other than the desire to let it "bake" in case there are problems. |
Branched off #1056, specifically for ComputeCredential, or possibly ServiceCredential.
The text was updated successfully, but these errors were encountered: