gcp

package
v0.0.0-...-547780f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 31, 2025 License: MPL-2.0, MPL-2.0 Imports: 37 Imported by: 0

README

OpenBao Plugin: Google Cloud Platform Auth Backend

This is a standalone backend plugin for use with OpenBao. This plugin allows for various GCP entities to authenticate with OpenBao. This is currently included in OpenBao distributions.

Currently, this plugin supports login for:

  • IAM service accounts
  • GCE Instances

Getting Started

This is an OpenBao plugin and is meant to work with OpenBao. This guide assumes you have already installed Openbao and have a basic understanding of how OpenBao works.

Otherwise, first read this guide on how to get started with OpenBao.

To learn specifically about how plugins work, see documentation on OpenBao plugins.

Usage

Please see documentation for the plugin in this repository.

Developing

If you wish to work on this plugin, you'll first need Go installed on your machine (version 1.10+ is required).

For local dev first make sure Go is properly installed, including setting up a GOPATH. Next, clone this repository into your GOPATH:

Build Plugin

If you're developing for the first time, run make bootstrap to install the necessary tools. Bootstrap will also update repository name references if that has not been performed ever before.

$ make bootstrap

To compile a development version of this plugin, run make or make dev. This will put the plugin binary in the bin and $GOPATH/bin folders. dev mode will only generate the binary for your platform and is faster:

$ make
$ make dev
Start OpenBao

  1. For local development, use OpenBao's "dev" mode for fast setup:

    $ bao server -dev -dev-root-token-id=root -dev-plugin-dir="$GOPATH/openbao-plugins"
Set Up Plugin in OpenBao

Next you want OpenBao to use the newly built binary instead of the version bundled with Openbao. You can use the scripted or manual methods depending on your preference.

Scripted method.

  1. A Terraform project sets up the necessary gcp service account & credentials. You can configure the project id via this environment variable: TF_VAR_GOOGLE_CLOUD_PROJECT_ID or paste it in the terminal when prompted.

    $ make setup-env

  2. Source the environment variables generated by the setup project:

    $ source ./bootstrap/terraform/local_environment_setup.sh

  3. Enable the dev version of the plugin on your local OpenBao instance. You can specify the plugin name, development plugin_directory and mount path or leave empty to use the default values.

    $ make configure PLUGIN_NAME=openbao-plugin-auth-gcp PLUGIN_DIR=$GOPATH/openbao-plugins PLUGIN_PATH=gcp

Manual method.

  1. Save the name of your project as an environment variable for reference:

    $ export GOOGLE_CLOUD_PROJECT=my-project # replace with your project ID

The remaining steps may also be executed by running . scripts/cred_setup.sh.

  1. Enable the IAM service on the project:

    $ gcloud services enable --project "${GOOGLE_CLOUD_PROJECT}" \
    cloudresourcemanager.googleapis.com \
    iam.googleapis.com

  2. Create the service account:

    $ gcloud iam service-accounts create openbao-tester \
    --display-name openbao-tester \
    --project "${GOOGLE_CLOUD_PROJECT}"

  3. Grant project.viewer and serviceaccount.admin permissions:

    $ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
    --member "serviceAccount:openbao-tester@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" \
    --role "roles/viewer"

$ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
    --member "serviceAccount:openbao-tester@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" \
    --role "roles/iam.serviceAccountKeyAdmin"

$ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
    --member "serviceAccount:openbao-tester@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" \
    --role "roles/iam.serviceAccountTokenCreator"

  4. Download the service account key file to local disk:

    $ gcloud iam service-accounts keys create openbao-tester.json \
    --iam-account "openbao-tester@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"

  5. Export the credentials to an environment variable:

    $ export GOOGLE_TEST_CREDENTIALS="$(cat openbao-tester.json)"
Tests

This plugin has comprehensive acceptance tests covering most of the features of this auth backend.

If you are developing this plugin and want to verify it is still functioning (and you haven't broken anything else), we recommend running the acceptance tests.

Acceptance tests typically require other environment variables to be set for things such as access keys. The test itself should error early and tell you what to set, so it is not documented here.

Warning: The acceptance tests create/destroy/modify real resources, which may incur real costs in some cases. In the presence of a bug, it is technically possible that broken backends could leave dangling data behind. Therefore, please run the acceptance tests at your own risk. At the very least, we recommend running them in their own private account for whatever backend you're testing.

To run the acceptance tests, you will need a GCP IAM service account with the appropriate permissions. You can use the steps explained in the setup section to configure one for you.

  1. Save the name of your test project as an environment variable for reference:

    $ export GOOGLE_CLOUD_PROJECT_ID=my-project # replace with your project ID

  2. Run the acceptance tests:

    $ make testacc

Note that it may take some time (e.g. over a minute) for the new credentials to work.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AuthorizeGCE 

func AuthorizeGCE(ctx context.Context, i *AuthorizeGCEInput) error

func Factory 

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Factory returns a new backend as logical.Backend.

Types

type AuthorizeGCEInput 

type AuthorizeGCEInput struct {
	// contains filtered or unexported fields
}

type CLIHandler 

type CLIHandler struct{}

func (*CLIHandler) Auth 

func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error)

func (*CLIHandler) Help 

func (h *CLIHandler) Help() string

type GcpAuthBackend 

type GcpAuthBackend struct {
	*framework.Backend
	// contains filtered or unexported fields
}

func Backend 

func Backend() *GcpAuthBackend

func (*GcpAuthBackend) CRMClient 

func (b *GcpAuthBackend) CRMClient(ctx context.Context, s logical.Storage) (*cloudresourcemanager.Service, error)

CRMClient returns a new Cloud Resource Manager client. The client is cached.

func (*GcpAuthBackend) ClearCaches 

func (b *GcpAuthBackend) ClearCaches()

ClearCaches deletes all cached clients and credentials.

func (*GcpAuthBackend) ComputeClient 

func (b *GcpAuthBackend) ComputeClient(ctx context.Context, s logical.Storage) (*compute.Service, error)

ComputeClient returns a new Compute client. The client is cached.

func (*GcpAuthBackend) IAMClient 

func (b *GcpAuthBackend) IAMClient(ctx context.Context, s logical.Storage) (*iam.Service, error)

IAMClient returns a new IAM client. This client talks to the IAM endpoint, for all things that are not signing JWTs. The SignJWT method in the IAM client has been deprecated, but other methods are still valid and supported.

See: https://pkg.go.dev/google.golang.org/api@v0.45.0/iam/v1 and: https://cloud.google.com/iam/docs/migrating-to-credentials-api#iam-sign-jwt-go

The client is cached.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.