Skip to content

Instantly share code, notes, and snippets.

View salrashid123's full-sized avatar

salrashid123

266 followers · 1 following
View GitHub Profile
@salrashid123
salrashid123 / main.py
Last active December 21, 2021 18:58
google-auth python. Impersonate and domain-delegate using impersonated_credentials
# snippet uses ADC credentials to impersonate generic-server@project.iam.gserviceaccount.com
# then use that server's credentials to create a token for user2 using domain delegation
# after that, the gcs and pubsub calls are done as if its user2
import google.auth
import time
from google.auth import credentials
from google.cloud import iam_credentials_v1
from google.auth import impersonated_credentials
@salrashid123
salrashid123 / static_credentials.py
Created December 20, 2021 16:39
google.auth.StaticCredentils
## StaticCredentials should be in google.auth.
# sc = StaticCredentials(token=access_token,expires_in=expires_in,token_type=token_type)
# from google.cloud import storage
# client = storage.Client(project=project, credentials=sc)
# for b in client.list_buckets():
# print(b.name)
@salrashid123
salrashid123 / kms_rsa.md
Created December 16, 2021 14:15
Encrypt/Decrypt using RSA openssl and GCP Cloud KMS

given a key of type

gcloud kms keys list --keyring=mykeyring --location=us-central1
   projects/mineral-minutia-820/locations/us-central1/keyRings/mykeyring/cryptoKeys/dlp            ASYMMETRIC_DECRYPT  RSA_DECRYPT_OAEP_2048_SHA1    SOFTWARE

gcloud kms keys versions get-public-key 1 --key dlp --keyring=mykeyring --location=us-central1 > key.pub
@salrashid123
salrashid123 / main.go
Last active December 8, 2021 12:33
Google Cloud Storage Downscope tokens api in go
package main
import (
"context"
"fmt"
"io"
"os"
"cloud.google.com/go/storage"
@salrashid123
salrashid123 / k8s_wif_14.txt
Created December 6, 2021 13:25
k8s_wif_14.txt
export DISCOVERY_URL="https://e782-72-83-67-174.ngrok.io"
minikube start --driver=kvm2 --feature-gates=ServiceAccountIssuerDiscovery=true \
--extra-config=apiserver.service-account-jwks-uri=$DISCOVERY_URL/openid/v1/jwks \
--extra-config=apiserver.service-account-issuer=$DISCOVERY_URL
# enable the cluster role bindng to expose the discovery server
kubectl create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated
@salrashid123
salrashid123 / k8s_ngrok.txt
Created December 6, 2021 13:24
k8s_ngrok.txt
curl -s $DISCOVERY_URL/.well-known/openid-configuration | jq '.'
{
"issuer": "https://e782-72-83-67-174.ngrok.io",
"jwks_uri": "https://e782-72-83-67-174.ngrok.io/openid/v1/jwks",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
@salrashid123
salrashid123 / k8s_wif_11.txt
Created December 6, 2021 13:23
k8s_wif_11.txt
$ kubectl get po
NAME READY STATUS RESTARTS AGE
myapp-deployment-86d84cff8f-ckljb 1/1 Running 0 26s
myapp-deployment-86d84cff8f-nkshd 1/1 Running 0 26s
$ kubectl exec -ti myapp-deployment-86d84cff8f-ckljb cat /var/run/secrets/iot-token/iot-token
eyJhbGciOiJSUzI1NiIsImtpZCI6IkFUaUdaN2Y2ZTRfMlFtOG5lQWhQeFlEVnlmRkpEQzNTUV9JNFFIdFgzbjgifQ.eyJhdWQiOlsiZ2NwLXN0cy1hdWRpZW5jZSJdLCJleHAiOjE2MzQ5MTY2MDAsImlhdCI6MTYzNDkwOTQwMCwiaXNzIjoiaHR0cHM6Ly9lNzgyLTcyLTgzLTY3LTE3NC5uZ3Jvay5pbyIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoiZGVmYXVsdCIsInBvZCI6eyJuYW1lIjoibXlhcHAtZGVwbG95bWVudC04NmQ4NGNmZjhmLWNrbGpiIiwidWlkIjoiY2JhNTVlZGMtYmMwOC00YjVkLWJmZTEtYzBhMTA5YWVkYjVmIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzdmMxLXNhIiwidWlkIjoiZTQxNmE5OTEtNmE2Ni00ODc3LWJhMjYtYTk3YTYwZjQ0ZjIyIn19LCJuYmYiOjE2MzQ5MDk0MDAsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnN2YzEtc2EifQ.mFf5VEdeFXhi2I7tYN5ORToKeEPlnRW3uNPUGEkcozMtNAGVrL0bRKm7eaQHWilpdxFJ3gjN7RjHOqP0e-4dsHl_zE2S
@salrashid123
salrashid123 / ks8_wif_9.txt
Created December 6, 2021 13:22
ks8_wif_9.txt
gcloud iam service-accounts create oidc-federated
gcloud iam service-accounts add-iam-policy-binding oidc-federated@$PROJECT_ID.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/pool-k8s/subject/system:serviceaccount:default:svc1-sa"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member "serviceAccount:oidc-federated@$PROJECT_ID.iam.gserviceaccount.com" \
--role roles/storage.objectAdmin
@salrashid123
salrashid123 / k8s_wif_7.sh
Created December 6, 2021 13:21
k8s_wif_7.sh
export OIDC_TOKEN=`kubectl exec -ti myapp-deployment-86d84cff8f-ckljb cat /var/run/secrets/iot-token/iot-token`
curl -s -X POST -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "audience=//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1" \
-d "subject_token_type=urn:ietf:params:oauth:token-type:jwt" \
-d "requested_token_type=urn:ietf:params:oauth:token-type:access_token" \
-d "scope=https://www.googleapis.com/auth/cloud-platform" \
-d "subject_token=$OIDC_TOKEN" https://sts.googleapis.com/v1beta/token | jq '.'
@salrashid123
salrashid123 / k8s_wif_5.json
Created December 6, 2021 13:20
k8s_wif_5.json
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/pool-k8s/providers/oidc-provider-k8s-1",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/var/run/secrets/iot-token"
},
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/oidc-federated@your-project-id.iam.gserviceaccount.com:generateAccessToken"