Parsing the x-envoy-peer-metadata field.
eg, in istio outbound
{
"args": {},
"headers": {
"Accept-Encoding": "gzip",
"Host": "httpbin.org", 
salrashid123
salrashid123
/ subjectoken.go
Created
November 15, 2024 13:45
Google WorkloadFederation SubjectTokenSupplier sample
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| simple example of https://pkg.go.dev/golang.org/x/oauth2/google/externalaccount#SubjectTokenSupplier | |
| also see https://github.com/salrashid123/gcp_aws_web_identity | |
| */ | |
| package main | |
| import ( |
salrashid123
/ peer-metadata-parsing.md
Created
November 10, 2024 14:44
Parsing `X-Envoy-Peer-Metadata`
BQ wrapped keyset per row
bq query --nouse_legacy_sql "
DECLARE kms_resource_name STRING;
SET kms_resource_name = 'gcp-kms://projects/srashid-test2/locations/us/keyRings/bqkr/cryptoKeys/k1';
salrashid123
/ iteratesa.go
Created
October 23, 2024 09:27
slowly iterate GCP service accounts in an org for last authentication time
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| // gcloud auth application-default login | |
| // export USER=`gcloud config get-value core/account` | |
| // export PROJECT_ID=`gcloud config get-value core/project` | |
| // export QUOTA_PROJECT=$PROJECT_ID | |
| // export ORGANIZATION_ID="organizations/1111111" | |
| // gcloud services enable policyanalyzer.googleapis.com | |
| // gcloud projects add-iam-policy-binding --role=roles/serviceusage.serviceUsageConsumer --member=user:$USER $QUOTA_PROJECT |
salrashid123
/ parameter.md
Last active
October 15, 2024 21:53
go-tpm raw request parameter marshal and unmarshal
encode/decode go-tpm request parameters for use with TPMPolicySyntax
github.com/google/go-tpm/tpm2/sessions.go
func CPBytes[R any](cmd Command[R, *R]) ([]byte, error) {
return cmdParameters(cmd, nil)
}
salrashid123
/ AWS_v4_Signing_noSDK_TPM.md
Last active
September 10, 2024 12:20
AWS SigV4 Signing without SDK using Trusted Platform Module (TPM)
similar to https://github.com/aws-samples/sigv4-signing-examples but the varaint below invokes sts.GetCallerIdentity where the AWS_SECRET_ACCESS_KEY is embedded in a TPM
In other words, this sample will seal the AWS_SECRET_ACCESS_KEY inside a TPM and then use the TPM to create an AWS v4 signature
at no time does the secret leave the TPM but it can be made to issue an hmac
for more info, see
salrashid123
/ AWS_v4_Signing_noSDK.md
Last active
September 10, 2024 12:21
AWS SigV4 Signing without SDK
Variant of AWS v4 signing without SDK
but the varaint below invokes sts.GetCallerIdentity
To use, simply export env vars and run the python script below.
The script will manually sign and invoke the api using the AWS_SECRET_ACCESS_KEY as the secret
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| /* | |
| script extracts the tpm encryptedblob (which is the client public/private key | |
| curl -v -H 'Metadata-Flavor: Google' http://metadata/computeMetadata/v1/instance/credentials/certs | |
| { | |
| "encrypted_credentials": "qmiCsZSSGxU8w7MnZoKe0XriLAPYmNGh6t9BqwtI5MqEJS7sv3pGFaHWi+U0oT8zQpuVsVVaEHP2qLwjE11v7xGR8ZCGr2Y5XnvlyEao8rcD8th6hCswLdJiMUATSZviThwziGIGAAzuHOofzEHbp8vDMe4hFsinz1sPvmOrd1aN1HAYPcXH5qpMdo0kgklXhc3O8p+cgVKO2UA7uNqM+/mOHzgxdLZ9f+X8gxAA1WWgr+X2G4W1BUUTPxFTchnzImoandoUo/SMinSVSrvVSkBCEm6GttxBjjgjc0Y391bOsCcEZH2xUx/Ev7+TfI2zqz0nMYQgB8Vly4/07WAPwUX3D8mFAgoTnokAOgHz1mcenH6C7XhKQRKd84wst2e5L35WFAsXY2Dtj7NgAS08T1e1N81VzDIBS7L8B1y9Y9ACu4n2gcKr/uRo36zunKEOd9rBRvNOdpkzaU3RQC97FUJrAUu6At2q9RLE2brphkq5bn11/CXWskNuzApS3MwzG9jeHJ1AAmDYbKicr1jzgMXhSBB63FXMs87kNtqj3X8XiCFJ89Ckewv1r3G9kzHisOQP1JjSfzD/AFOabkg/eFI6WfnriADuNPwMJHCKMsjDik+f6w4rLuOuLjMFm5OCAQkqAIppiWiBIfoT+4P7Z8Eg31s35wBvd82bIuTx8jG5ODYR7DjXa2kKlnytSI6KKPzlu3Q4z2gzkn3vuP5H5qjpWgDripKr2uqGMsYCRTEC0q0AutLtEY4ayU/Xo07kPyC/fBfQgXJuK/4Eq4UGHmbUP3YWaz |
salrashid123
/ duplicate_tpm.md
Last active
August 8, 2024 14:01
Transfer TPM based key using PCR policy
Procedure to transfer a TPM key from one TPMA to TPMB with policies:
policy_duplicateselect: TPMB cannot re-export it.policy_pcr: allows TPMA to set which PCR values must be preset on B to use this key
see Prevent Chained duplication from A -> B -> C using tpm2_policyduplicationselect
salrashid123
/ keyfile.md
Last active
June 11, 2024 13:40
go-tpm-files save/load from persistent handle
-
crate prmiary
-
create key
-
evict primary to persistent handle
0x81000000 -
save key with go-tpm-keyfiles
-
load key using go-tpm-keyfile
module mainNewerOlder