-
-
Save pdecat/80f21e36583420abbfdeae0494a53501 to your computer and use it in GitHub Desktop.
| package main | |
| import ( | |
| "context" | |
| "flag" | |
| "log" | |
| "net/url" | |
| "time" | |
| "cloud.google.com/go/compute/metadata" | |
| credentials "cloud.google.com/go/iam/credentials/apiv1" | |
| "cloud.google.com/go/storage" | |
| "golang.org/x/oauth2" | |
| "golang.org/x/oauth2/google" | |
| credentialspb "google.golang.org/genproto/googleapis/iam/credentials/v1" | |
| ) | |
| func main() { | |
| var bucket string | |
| var object string | |
| var method string | |
| flag.StringVar(&bucket, "bucket", "", "The bucket") | |
| flag.StringVar(&object, "object", "", "The object in the bucket") | |
| flag.StringVar(&method, "method", "GET", "The HTTP method to use") | |
| flag.Parse() | |
| log.Printf("bucket: %v", bucket) | |
| log.Printf("object: %v", object) | |
| log.Printf("method: %v", method) | |
| creds, err := google.FindDefaultCredentials(oauth2.NoContext) | |
| if err != nil { | |
| log.Printf("Error while getting default credentials: %v", err) | |
| return | |
| } | |
| token, err := creds.TokenSource.Token() | |
| if err != nil { | |
| log.Printf("Error while getting token: %v", err) | |
| return | |
| } | |
| accountID, ok := token.Extra("oauth2.google.serviceAccount").(string) | |
| if !ok { | |
| log.Printf("Error while getting account ID: %v", err) | |
| return | |
| } | |
| log.Printf("accountID: %v", accountID) | |
| client, err := google.DefaultClient(oauth2.NoContext) | |
| if err != nil { | |
| log.Printf("Error while getting default client: %v", err) | |
| return | |
| } | |
| computeMetadataClient := metadata.NewClient(client) | |
| email, err := computeMetadataClient.Email(accountID) | |
| if err != nil { | |
| log.Printf("Error while getting email: %v", err) | |
| return | |
| } | |
| log.Printf("email: %v", email) | |
| projectID, err := computeMetadataClient.ProjectID() | |
| if err != nil { | |
| log.Printf("Error while getting project ID: %v", err) | |
| return | |
| } | |
| log.Printf("projectID: %v", projectID) | |
| sc := storage.SignedURLOptions{ | |
| GoogleAccessID: email, | |
| Method: method, | |
| Expires: time.Now().Add(60 * time.Second), | |
| ContentType: "", | |
| } | |
| sc.SignBytes = func(payload []byte) ([]byte, error) { | |
| ctx := context.Background() | |
| credsClient, err := credentials.NewIamCredentialsClient(ctx) | |
| if err != nil { | |
| return nil, err | |
| } | |
| req := &credentialspb.SignBlobRequest{ | |
| Name: email, | |
| Payload: payload, | |
| } | |
| res, err := credsClient.SignBlob(ctx, req) | |
| if err != nil { | |
| return nil, err | |
| } | |
| return res.SignedBlob, err | |
| } | |
| rawURL, err := storage.SignedURL(bucket, object, &sc) | |
| if err != nil { | |
| log.Printf("Error while generating GCS pre-signed URL: %v", err) | |
| return | |
| } | |
| URL, err := url.Parse(rawURL) | |
| if err != nil { | |
| log.Printf("Error while parsing generated URL: %v", err) | |
| return | |
| } | |
| log.Printf("URL to use with %v method: %v", method, URL) | |
| return | |
| } |
Hi @pdecat, why is roles/iam.serviceAccountTokenCreator required? How do other functions in the library like list buckets etc work without this?
What do they use internally?
Thanks
Hi @challarao, the Service Account Token Creator role enables the impersonation of service accounts to sign blobs using the SignBlob() function.
See https://cloud.google.com/iam/docs/service-accounts#token-creator-role
and https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
and https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob
Thanks for responding @pdecat. You mentioned "must be granted the roles/iam.serviceAccountTokenCreator on itself". I'm trying to figure out the "itself" part. How to do that while creating the service account?
This is what I tried:
- Create service account in IAM
- In the roles section add "roles/iam.serviceAccountTokenCreator"
- In condition section ???
I imagine it has something to do with condition section, what do I need to do there to restrict the permission on self? Do I need to add name restriction?
Thanks
No need for conditions, the IAM binding is not done on the project resource, but on the IAM service account resource itself, e.g.:
# gcloud iam service-accounts get-iam-policy [email protected]
bindings:
- members:
- serviceAccount:[email protected]
role: roles/iam.serviceAccountTokenCreator
- members:
- serviceAccount:mygcpproject.svc.id.goog[myk8snamespace/myk8sapp]
role: roles/iam.workloadIdentityUser
etag: BwWf3CXxQdE=
version: 1
I'm not getting the bindings similar to what you are getting. This is what I've tried:
- Create service account
- Add role
I added this only because I didn't see that option in step 3.
-
Granted itself access to itself
-
Invoked the command you used:
gcloud iam service-accounts get-iam-policy [email protected]
bindings:
- members:
- serviceAccount:[email protected]
role: roles/iam.serviceAccountUser
etag: BwWxEVwMnV4=
version: 1
In my output I don't see service account creator in the role. While you have it in your policy. What am I missing in the service account creation?
Thanks
I was able to create the binding using this command:
gcloud iam service-accounts add-iam-policy-binding [email protected] --member serviceAccount:[email protected] --
role roles/iam.serviceAccountTokenCreator
Now I'm getting the output similar to yours:
bindings:
- members:
- serviceAccount:[email protected]
role: roles/iam.serviceAccountTokenCreator
etag: BwWxEg_JjV0=
version: 1
Hoping this is the way to do it. Thanks.
@pdecat, is the
SignBlobRequest.Namefield in the formatprojects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}as mentioned in the docs??It is the raw email address of the service account.
@pdecat, thanks for the reply. I was referring to the docs here which seems to suggest to use projects/-/serviceAccounts/{rawEmail} instead.
Note: for this to work, the IAM service account must be granted the
roles/iam.serviceAccountTokenCreatoron itself, in addition to IAM permissions on the target GCS bucket.