Skip to content

feat: Add impersonated service account to gcloud default credentials #728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
liuchaoren wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: Add impersonated service account to gcloud default credentials #728

liuchaoren wants to merge 2 commits into from

Conversation

@liuchaoren
Copy link

@liuchaoren liuchaoren commented Mar 29, 2021

No description provided.

@liuchaoren liuchaoren requested a review from a team March 29, 2021 19:37
@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Mar 29, 2021
@liuchaoren liuchaoren mentioned this pull request Mar 29, 2021
Closed
@liuchaoren liuchaoren mentioned this pull request May 27, 2021
Closed
shinfan
shinfan reviewed Jul 2, 2021
View reviewed changes
aip/auth/4110.md
1. If certificate is presented, embed the certificate into the JWT.
1. Use the regular [self-signed JWT flow][4] for an access token. _[END]_
1. Use user identity flow to exchange for an access token. _[END]_
1. Use the gcloud default credential to exchange for an access token. _[END]_
Copy link
Contributor

@shinfan shinfan Jul 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you link this flow to 4113? Something like:

Use the gcloud default credential to exchange for an access token. [END]

aip/auth/4113.md
target principal to impersonate. All other service accounts are delegates. For
more information about the ‘--impersonate-service-account’ flag, please read
the help text of [gcloud][0]. For more information about service account
impersonation, please read the **TODO(silvano@ will submit his PR)**.
Copy link
Contributor

@shinfan shinfan Jul 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets remove the TODO here and add this sentence with the impersonation PR.

aip/auth/4113.md
applications **should** call [IAM APIs][5] to request a short-lived access
token of the impersonated service account. The access token of the impersonated
service account **should** be used to authenticate the request to GCP APIs.

Copy link
Contributor

@shinfan shinfan Jul 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a change log section here?

aip/auth/4113.md

gcloud default credentials can be generated via command [gcloud auth
application-default login][2].
gcloud default credentials can be generated via command [gcloud auth
Copy link
Contributor

@shinfan shinfan Jul 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can have two sections here:

Gcloud User Credential

...

Impersonated Service Account

...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shinfan shinfan shinfan left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

cla: yes This human has signed the Contributor License Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liuchaoren @shinfan