credential

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 9, 2025 License: MPL-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// ConstProjectId defines the attribute name for a GCP project
	ConstProjectId = "project_id"

	// ConstZone defines the attribute name for a GCP zone
	ConstZone = "zone"

	// ConstDisableCredentialRotation is the key for the disable credential rotation in the GCP credentials.
	ConstDisableCredentialRotation = "disable_credential_rotation"

	// ConstCredsLastRotatedTime is the key for the last rotated time in the GCP credentials.
	ConstCredsLastRotatedTime = "creds_last_rotated_time"

	// ConstClientEmail is the email address associated with the service account
	ConstClientEmail = "client_email"

	// ConstTargetServiceAccountID is the unique identifier for the service account that will be impersonated.
	ConstTargetServiceAccountID = "target_service_account_id"

	// ConstPrivateKeyId is the private key id associated with the service account
	ConstPrivateKeyId = "private_key_id"

	// ConstPrivateKey is the private key associated with the service account
	ConstPrivateKey = "private_key"
)
View Source 
const (
	// ComputeInstancesListPermission is the IAM permission required
	// to list compute instances.
	ComputeInstancesListPermission = "compute.instances.list"
	// IAMServiceAccountKeysCreatePermission is the IAM permission
	// required to create a service account key.
	// This permission is required to rotate service account keys.
	IAMServiceAccountKeysCreatePermission = "iam.serviceAccountKeys.create"
	// IAMServiceAccountKeysDeletePermission is the IAM permission
	// required to delete a service account key.
	// This permission is required to rotate service account keys.
	IAMServiceAccountKeysDeletePermission = "iam.serviceAccountKeys.delete"
)

Variables

This section is empty.

Functions

func NewGRPCServer 

func NewGRPCServer() *grpcServer

func NewTestIAMAdminServer 

func NewTestIAMAdminServer(createServiceAccountKeyError error, deleteServiceAccountKeyError error) *testIAMAdminServer

func NewTestResourceServer 

func NewTestResourceServer(testIamPermissionsResponse *iampb.TestIamPermissionsResponse, testIamPermissionsError error) *testResourceServer

Types

type Config 

type Config struct {
	ProjectId              string
	PrivateKey             string
	PrivateKeyId           string
	Zone                   string
	ClientEmail            string
	TargetServiceAccountId string
	Scopes                 []string
	// contains filtered or unexported fields
}

Config is the configuration for the GCP credential.

func GetCredentialsConfig 

func GetCredentialsConfig(secrets *structpb.Struct, attrs *CredentialAttributes) (*Config, error)

GetCredentialsConfig parses values out of a protobuf struct secrets and returns a Config used for configuring an GCP session. An status error is returned with an InvalidArgument code if any unrecognized fields are found in the protobuf struct input.

func NewConfig 

func NewConfig(opt ...Option) (*Config, error)

NewConfig creates a new GCP credential configuration based on the provided options. If the options are invalid, it will return an error.

func (*Config) DeletePrivateKey 

func (c *Config) DeletePrivateKey(ctx context.Context, opts ...option.ClientOption) error

func (*Config) GenerateCredentials 

func (c *Config) GenerateCredentials(ctx context.Context) (*google.Credentials, error)

GenerateCredentials generates GCP credentials based on the provided configuration. It supports Service Account Key, Service Account Impersonation, and ADC. If the credentials are already generated, it will return the cached credentials.

func (*Config) IsRotatable 

func (c *Config) IsRotatable() bool

IsRotatable returns a boolean indicating if the credentials are rotatable.

func (*Config) RotateServiceAccountKey 

func (c *Config) RotateServiceAccountKey(
	ctx context.Context,
	permissions []string,
	validateCredsCallback ValidateCredsCallback,
	opts ...option.ClientOption,
) error

RotateServiceAccountKey takes the private key from this credentials config and first creates a new private key and private key id, then deletes the old private key.

If deletion of the old private key is successful, the new private key and private key id are written into the credentials config and nil is returned. On any error, the old credentials are not overwritten.

func (*Config) ValidateIamPermissions 

func (c *Config) ValidateIamPermissions(ctx context.Context, permissions []string, opts ...option.ClientOption) ([]string, error)

ValidateIamPermissions tests the IAM permissions for the credentials. It returns the granted permissions if successful.

func (*Config) ValidateServiceAccountKey 

func (c *Config) ValidateServiceAccountKey(
	ctx context.Context,
	permissions []string,
	validateCredsCallback ValidateCredsCallback,
	opts ...option.ClientOption) error

ValidateServiceAccountKey validates the service account key by checking the IAM permissions and calling the validation callback. The function will retry validation until the timeout is reached.

type CredentialAttributes 

type CredentialAttributes struct {
	// ProjectId is the project id associated with the GCP credentials
	ProjectId string

	// Zone is the zone  associated with the GCP credentials
	Zone string

	// DisableCredentialRotation disables the rotation of GCP service account key associated with the plugin
	DisableCredentialRotation bool

	// ClientEmail is the email associated with the GCP cloud credentials
	ClientEmail string

	// TargetServiceAccount is the unique identifier for the service account that will be impersonated
	TargetServiceAccountId string
}

CredentialAttributes contain attributes used for authenticating to GCP and accessing a list of instances

func GetCredentialAttributes 

func GetCredentialAttributes(in *structpb.Struct) (*CredentialAttributes, error)

GetCredentialAttributes checks attributes required by GCP to access a list of instances and populate them into Boundary's host catalog

type CredentialType 

type CredentialType int

type Option 

type Option func(*Options) error

Option - how Options are passed as arguments

func WithClientEmail 

func WithClientEmail(email string) Option

WithClientEmail - The email address associated with the service account. The email address used to uniquely identify the service account

func WithCredentialsConfig 

func WithCredentialsConfig(c *Config) Option

WithCredentialsConfig - set the credentials config

func WithCredsLastRotatedTime 

func WithCredsLastRotatedTime(t time.Time) Option

WithCredsLastRotatedTime - The last time the service account key was rotated

func WithPrivateKey 

func WithPrivateKey(key string) Option

WithPrivateKey - set the GCP service account private key which is used to authentication

func WithPrivateKeyId 

func WithPrivateKeyId(id string) Option

WithPrivateKeyId - The private key ID of the GCP service account

func WithProjectId 

func WithProjectId(id string) Option

WithProjectId - The project ID associated with the service account

func WithScopes 

func WithScopes(scopes []string) Option

WithScopes - set the GCP scope that defines the level of access that the requested access token will have. This option is required when authenticating with Service Account Impersonation.

func WithTargetServiceAccountId 

func WithTargetServiceAccountId(id string) Option

WithTargetServiceAccountId - The account that will be impersonated. This account has permission to perform actions that the base service account does not have.

func WithZone 

func WithZone(zone string) Option

WithZone - The zone where the GCP resources are located

type Options 

type Options struct {
	WithCredentialsConfig      *Config
	WithCredsLastRotatedTime   time.Time
	WithClientEmail            string
	WithProjectId              string
	WithTargetServiceAccountId string
	WithZone                   string
	WithPrivateKeyId           string
	WithPrivateKey             string
	WithScopes                 []string
}

options = how options are represented

type PersistedState 

type PersistedState struct {
	// CredentialsConfig is the credential configuration for the GCP credential.
	CredentialsConfig *Config
	// CredsLastRotatedTime is the last rotation of service account key for the GCP credential.
	CredsLastRotatedTime time.Time
}

PersistedState is the persisted state for the GCP credential.

func NewPersistedState 

func NewPersistedState(opt ...Option) (*PersistedState, error)

NewPersistedState - create a new PersistedState

func PersistedStateFromProto 

func PersistedStateFromProto(secrets *structpb.Struct, attrs *CredentialAttributes, opts ...Option) (*PersistedState, error)

PersistedStateFromProto parses values out of a protobuf struct input and returns a PersistedState used for GCP authentication.

func (*PersistedState) DeleteCreds 

func (s *PersistedState) DeleteCreds(ctx context.Context, opts ...option.ClientOption) error

DeleteCreds deletes the credentials in the state. The access key ID, secret access key, and rotation time fields are zeroed out in the state just to ensure that they cannot be re-used after. This method returns a status error with PluginError details.

func (*PersistedState) ReplaceCreds 

func (s *PersistedState) ReplaceCreds(ctx context.Context, newCreds *Config, opts ...option.ClientOption) error

ReplaceCreds replaces the private key in the state with a new key. If the existing key was rotated at any point in time, it is deleted first, otherwise it's left alone. This method returns a status error with PluginError details.

func (*PersistedState) RotateCreds 

func (s *PersistedState) RotateCreds(
	ctx context.Context,
	permissions []string,
	validateCredsCallback ValidateCredsCallback,
	opts ...option.ClientOption) error

RotateCreds rotates the credentials for the GCP catalog and updates the last rotated time.

func (*PersistedState) ToMap 

func (s *PersistedState) ToMap() map[string]any

ToMap returns a map of the credentials stored in the persisted state. ToMap will return a map for long-term credentials with following keys: private_key_id, private_key & creds_last_rotated_time

type ServiceAccountPrivateKey 

type ServiceAccountPrivateKey struct {
	Type                    string `json:"type"`
	ProjectID               string `json:"project_id"`
	PrivateKeyID            string `json:"private_key_id"`
	PrivateKey              string `json:"private_key"`
	ClientEmail             string `json:"client_email"`
	ClientID                string `json:"client_id"`
	AuthURI                 string `json:"auth_uri"`
	TokenURI                string `json:"token_uri"`
	AuthProviderX509CertURL string `json:"auth_provider_x509_cert_url"`
	ClientX509CertURL       string `json:"client_x509_cert_url"`
}

ServiceAccountPrivateKey represents a decoded PrivateKeyData from a Service Account Key. https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKey

type ValidateCredsCallback 

type ValidateCredsCallback func(*Config, ...option.ClientOption) error

ValidateCredsCallback is called to validate the credentials after rotating the service account key. The callback should return an error if the credentials are invalid.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.