iapclient

package module
v0.0.0-...-06e0afa Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 4, 2021 License: Apache-2.0 Imports: 14 Imported by: 0

README

iapclient

iapclient is a library to facilitate programmatic service-account authentication to endpoints protected by Google Cloud Platform's Identity Aware Proxy

See the ./examples directory for how to use this.

Before using:

  1. Set permissions "appropriately"
    • roles/iam.serviceAccountTokenCreator on the Service Account's own Service Account (yes, really - it's required for signBlob to work)
    • roles/iap.httpsResourceAccessor on the target project where the IAP-protected resource is
  2. Collect the target URI and Client ID

In summary, iapclient.NewIAP returns an http.RoundTripper that can be set as your http.Client's transport:

iap, err := iapclient.NewIAP("client-id", nil)
if err != nil {
    log.Fatalf("Failed to create new IAP object: %v", err)
}

httpClient := &http.Client{
    Transport: iap,
}

req, err := http.NewRequest("GET", "some uri", nil)
...

Why

IAP-protected resources use a weird OAuth flow that's extremely fluid for web-browser based human clients, but quite awkward to authenticate to as a service account.

What this library does

The upstream documentation for this process is Authentication Howto

The high-level summary is:

  1. Create a custom JWT with fields
    • exp - Epoch time 1 hour in the future
    • aud - https://www.googleapis.com/oauth2/v4/token
    • iss - Service Account email (get from JSON or metadata service)
    • iat - Current epoch time
    • target_audience - IAP OAuth ClientID (must be gotten manually)
  2. Use the projects.serviceAccounts.signJwt method to have Google sign the JWT as your service account. This is done instead of using the private key because Application Default Authentication does not have the private key unless a JSON file is in use, and implementing both seemed silly.
  3. Do a POST to the OAuth Token URI (https://www.googleapis.com/oauth2/v4/token) Body should have the following fields:
    • assertion - the signed JWT gotten back from signJwt
    • grant_type - urn:ietf:params:oauth:grant-type:jwt-bearer
  4. Use the returned string for authentication by adding Authorization: Bearer <string> to the IAP-directed request

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	HTTPClient *http.Client
	Transport  http.RoundTripper
	// In the event that you happen to be using this in Cloud Builder, you'll
	// need to override the email address used for signing the JWT as Cloud
	// Builder's service account can't use the signJwt API endpoint for
	// $REASONS (it's a 500 and Google says it's not supported)
	SignerEmail string
}

Config stores parameters optional for NewIAP

type IAP 

type IAP struct {
	sync.Mutex
	// contains filtered or unexported fields
}

IAP struct to represent the latest retrieved auth details

func NewIAP 

func NewIAP(cid string, config *Config) (*IAP, error)

NewIAP creates a new IAP object to fetch and refresh IAP authentication

func (*IAP) GetToken 

func (iap *IAP) GetToken(ctx context.Context) (token string, err error)

GetToken refreshes the token if necessary, and returns it

func (*IAP) RoundTrip 

func (iap *IAP) RoundTrip(req *http.Request) (resp *http.Response, err error)

RoundTrip makes the IAP object into a valid http.Transport interface

Source Files

View all Source files

Directories

Path Synopsis
examples
customca
iapwrap
prometheus
simple

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.