Skip to content

Instantly share code, notes, and snippets.

View salrashid123's full-sized avatar

salrashid123

245 followers · 1 following
View GitHub Profile
@salrashid123
salrashid123 / k8s_wif_11.txt
Created December 6, 2021 13:23
k8s_wif_11.txt
$ kubectl get po
NAME READY STATUS RESTARTS AGE
myapp-deployment-86d84cff8f-ckljb 1/1 Running 0 26s
myapp-deployment-86d84cff8f-nkshd 1/1 Running 0 26s
$ kubectl exec -ti myapp-deployment-86d84cff8f-ckljb cat /var/run/secrets/iot-token/iot-token
eyJhbGciOiJSUzI1NiIsImtpZCI6IkFUaUdaN2Y2ZTRfMlFtOG5lQWhQeFlEVnlmRkpEQzNTUV9JNFFIdFgzbjgifQ.eyJhdWQiOlsiZ2NwLXN0cy1hdWRpZW5jZSJdLCJleHAiOjE2MzQ5MTY2MDAsImlhdCI6MTYzNDkwOTQwMCwiaXNzIjoiaHR0cHM6Ly9lNzgyLTcyLTgzLTY3LTE3NC5uZ3Jvay5pbyIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoiZGVmYXVsdCIsInBvZCI6eyJuYW1lIjoibXlhcHAtZGVwbG95bWVudC04NmQ4NGNmZjhmLWNrbGpiIiwidWlkIjoiY2JhNTVlZGMtYmMwOC00YjVkLWJmZTEtYzBhMTA5YWVkYjVmIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzdmMxLXNhIiwidWlkIjoiZTQxNmE5OTEtNmE2Ni00ODc3LWJhMjYtYTk3YTYwZjQ0ZjIyIn19LCJuYmYiOjE2MzQ5MDk0MDAsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnN2YzEtc2EifQ.mFf5VEdeFXhi2I7tYN5ORToKeEPlnRW3uNPUGEkcozMtNAGVrL0bRKm7eaQHWilpdxFJ3gjN7RjHOqP0e-4dsHl_zE2S
@salrashid123
salrashid123 / ks8_wif_9.txt
Created December 6, 2021 13:22
ks8_wif_9.txt
gcloud iam service-accounts create oidc-federated
gcloud iam service-accounts add-iam-policy-binding oidc-federated@$PROJECT_ID.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/pool-k8s/subject/system:serviceaccount:default:svc1-sa"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member "serviceAccount:oidc-federated@$PROJECT_ID.iam.gserviceaccount.com" \
--role roles/storage.objectAdmin
@salrashid123
salrashid123 / k8s_wif_7.sh
Created December 6, 2021 13:21
k8s_wif_7.sh
export OIDC_TOKEN=`kubectl exec -ti myapp-deployment-86d84cff8f-ckljb cat /var/run/secrets/iot-token/iot-token`
curl -s -X POST -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "audience=//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1" \
-d "subject_token_type=urn:ietf:params:oauth:token-type:jwt" \
-d "requested_token_type=urn:ietf:params:oauth:token-type:access_token" \
-d "scope=https://www.googleapis.com/auth/cloud-platform" \
-d "subject_token=$OIDC_TOKEN" https://sts.googleapis.com/v1beta/token | jq '.'
@salrashid123
salrashid123 / k8s_wif_5.json
Created December 6, 2021 13:20
k8s_wif_5.json
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/var/run/secrets/iot-token"
},
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
@salrashid123
salrashid123 / k8s_wif_3.txt
Created December 6, 2021 13:20
k8s_wif_3.txt
gcloud beta iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1 \
--service-account=oidc-federated@$PROJECT_ID.iam.gserviceaccount.com \
--output-file=sts-creds.json \
--credential-source-file=/var/run/secrets/iot-token/iot-token
@salrashid123
salrashid123 / k8s_wif_2.yaml
Created December 6, 2021 13:19
k8s_wif_2.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: svc1-sa
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: mysecretname
@salrashid123
salrashid123 / k8s.txt
Created December 6, 2021 13:18
k8s_wif_1.txt
$ kubectl exec -ti myapp-deployment-548bb79f55-brddj /bin/bash
root@myapp-deployment-548bb79f55-brddj:/# echo $GOOGLE_APPLICATION_CREDENTIALS
/adc/creds/sts-creds.json
root@myapp-deployment-548bb79f55-brddj:/# cat /adc/creds/sts-creds.json
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
@salrashid123
salrashid123 / main.go
Created December 4, 2021 19:28
golang-jwt-tpm
package main
import (
"context"
"fmt"
"log"
"time"
"github.com/golang-jwt/jwt"
tpmjwt "github.com/salrashid123/golang-jwt-tpm"
@salrashid123
salrashid123 / main.go
Created December 4, 2021 19:26
golang-jwt-yubikey
package main
import (
"context"
"fmt"
"log"
"time"
"github.com/golang-jwt/jwt"
yk "github.com/salrashid123/golang-jwt-yubikey"
)
var ()
@salrashid123
salrashid123 / main.py
Created December 3, 2021 12:02
gcp_proxy python sample (https://github.com/salrashid123/gcpsamples/tree/master/proxy)
#!/usr/bin/python
# 1. user auth
# export http_proxy=http://localhost:3128
# auth N
# gcs N
# pubub Y
# 1638366068.078 261 192.168.9.1 TCP_TUNNEL/200 7876 CONNECT pubsub.googleapis.com:443 - HIER_DIRECT/142.250.73.202 -