This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gcloud iam service-accounts create oidc-federated | |
gcloud iam service-accounts add-iam-policy-binding oidc-federated@$PROJECT_ID.iam.gserviceaccount.com \ | |
--role roles/iam.workloadIdentityUser \ | |
--member "principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/pool-k8s/subject/system:serviceaccount:default:svc1-sa" | |
gcloud projects add-iam-policy-binding $PROJECT_ID \ | |
--member "serviceAccount:oidc-federated@$PROJECT_ID.iam.gserviceaccount.com" \ | |
--role roles/storage.objectAdmin |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export OIDC_TOKEN=`kubectl exec -ti myapp-deployment-86d84cff8f-ckljb cat /var/run/secrets/iot-token/iot-token` | |
curl -s -X POST -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ | |
-d "audience=//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1" \ | |
-d "subject_token_type=urn:ietf:params:oauth:token-type:jwt" \ | |
-d "requested_token_type=urn:ietf:params:oauth:token-type:access_token" \ | |
-d "scope=https://www.googleapis.com/auth/cloud-platform" \ | |
-d "subject_token=$OIDC_TOKEN" https://sts.googleapis.com/v1beta/token | jq '.' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"type": "external_account", | |
"audience": "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1", | |
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt", | |
"token_url": "https://sts.googleapis.com/v1/token", | |
"credential_source": { | |
"file": "/var/run/secrets/iot-token" | |
}, | |
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gcloud beta iam workload-identity-pools create-cred-config \ | |
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1 \ | |
--service-account=oidc-federated@$PROJECT_ID.iam.gserviceaccount.com \ | |
--output-file=sts-creds.json \ | |
--credential-source-file=/var/run/secrets/iot-token/iot-token |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: svc1-sa | |
--- | |
apiVersion: v1 | |
kind: Secret | |
type: kubernetes.io/service-account-token | |
metadata: | |
name: mysecretname |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl exec -ti myapp-deployment-548bb79f55-brddj /bin/bash | |
root@myapp-deployment-548bb79f55-brddj:/# echo $GOOGLE_APPLICATION_CREDENTIALS | |
/adc/creds/sts-creds.json | |
root@myapp-deployment-548bb79f55-brddj:/# cat /adc/creds/sts-creds.json | |
{ | |
"type": "external_account", | |
"audience": "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1", | |
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"context" | |
"fmt" | |
"log" | |
"time" | |
"github.com/golang-jwt/jwt" | |
tpmjwt "github.com/salrashid123/golang-jwt-tpm" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"context" | |
"fmt" | |
"log" | |
"time" | |
"github.com/golang-jwt/jwt" | |
yk "github.com/salrashid123/golang-jwt-yubikey" | |
) | |
var () |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# 1. user auth | |
# export http_proxy=http://localhost:3128 | |
# auth N | |
# gcs N | |
# pubub Y | |
# 1638366068.078 261 192.168.9.1 TCP_TUNNEL/200 7876 CONNECT pubsub.googleapis.com:443 - HIER_DIRECT/142.250.73.202 - |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package com.test; | |
import java.io.IOException; | |
import java.net.Authenticator; | |
import java.net.InetSocketAddress; | |
import java.net.PasswordAuthentication; | |
import java.net.SocketAddress; | |
import com.google.api.client.http.HttpTransport; | |
//import com.google.api.client.http.apache.ApacheHttpTransport; |