salrashid123

GCP x509 Workload Federation in python using TPM based authentication and openssl

assume you have a workload federation trusted cert and PEM key (workload3.crt, workload3.key), the following will embed the key into the tpm. Workload federation will use the tpm-based key for mtls.

you can ofcourse create the key inside the tpm or securely import it. those options are described here

Setup TPM tools

Python mTLS client/server with TPM based key

sample client/server webapp in python using mtls where the client key is resident on a trusted platform module

Setup openssl

# on debian 12

GCP Enterprise Certificate Proxy with SoftHSM

setup of Google Proxies for Enterprise Certificates (GA) with SoftHSM

This sample will embed a device certificate and key into SoftHSM and then access softHSM for mTLS using the GCP proxy.

A default GCS client uses the enterprise proxy transparently to access gcp resources via mTLS

Parsing the x-envoy-peer-metadata field.

eg, in istio outbound

{
  "args": {}, 
  "headers": {
    "Accept-Encoding": "gzip", 
    "Host": "httpbin.org",

BQ wrapped keyset per row

generate wrapped key per user

bq query --nouse_legacy_sql "
DECLARE kms_resource_name STRING;
SET kms_resource_name = 'gcp-kms://projects/srashid-test2/locations/us/keyRings/bqkr/cryptoKeys/k1';

encode/decode go-tpm request parameters for use with TPMPolicySyntax

github.com/google/go-tpm/tpm2/sessions.go

func CPBytes[R any](cmd Command[R, *R]) ([]byte, error) {
	return cmdParameters(cmd, nil)
}

AWS v4 signed request using Trusted Platform Module

similar to https://github.com/aws-samples/sigv4-signing-examples but the varaint below invokes sts.GetCallerIdentity where the AWS_SECRET_ACCESS_KEY is embedded in a TPM

In other words, this sample will seal the AWS_SECRET_ACCESS_KEY inside a TPM and then use the TPM to create an AWS v4 signature at no time does the secret leave the TPM but it can be made to issue an hmac

for more info, see

https://github.com/salrashid123/tpm2/tree/master/hmac_import

Variant of AWS v4 signing without SDK

https://github.com/aws-samples/sigv4-signing-examples

but the varaint below invokes sts.GetCallerIdentity

To use, simply export env vars and run the python script below.

The script will manually sign and invoke the api using the AWS_SECRET_ACCESS_KEY as the secret

	/*
	simple example of https://pkg.go.dev/golang.org/x/oauth2/google/externalaccount#SubjectTokenSupplier


	also see https://github.com/salrashid123/gcp_aws_web_identity
	*/

	package main

	import (

	package main

	// gcloud auth application-default login
	// export USER=`gcloud config get-value core/account`
	// export PROJECT_ID=`gcloud config get-value core/project`
	// export QUOTA_PROJECT=$PROJECT_ID
	// export ORGANIZATION_ID="organizations/1111111"

	// gcloud services enable policyanalyzer.googleapis.com
	// gcloud projects add-iam-policy-binding --role=roles/serviceusage.serviceUsageConsumer --member=user:$USER $QUOTA_PROJECT