Supporting impersonated service count (builds on #76)#77
Supporting impersonated service count (builds on #76)#77
Conversation
This PR supports parsing both formats in either the `GOOGLE_APPLICATION_CREDENTIALS` env variable or the `~/.config/gcloud/application_default_credentials.json` file.
| // account specified by `service_account_impersonation_url`. | ||
| // refresh logic https://github.com/golang/oauth2/blob/a835fc4358f6852f50c4c5c33fddcd1adade5b0a/google/internal/externalaccount/impersonate.go#L57 | ||
| #[derive(Deserialize, Debug)] | ||
| pub(crate) struct ImpersonatedServiceAccountCredentials { |
There was a problem hiding this comment.
The only weirdness about this PR is that I put the deserialization for ImpersonatedServiceAccount inside the flexible_credential_source file. I did this because in theory the source credentials could be anything (the referenced go sdk source didn't discriminate between what the source credentials were).
If there is a cleaner approach to this, please let me know.
msdrigg
force-pushed
the
flexible-patch-part-2
branch
from
fc39dac to
9dbde43
Compare
This PR adds a new `ServiceAccount` format that takes credentials from `source_credentials: ServiceAccount` and then makes a request to get a service account token using those credentials. This also adds the ability to parse the token format created by `gcloud auth application-default login --impersonate-service-account <service account>`
msdrigg
force-pushed
the
flexible-patch-part-2
branch
from
9dbde43 to
baa65d3
Compare
msdrigg
changed the title
|
Tested this PR with real world keys
|
|
This PR worked at the time I tested it, but I have not tested it in 2 years as you can see and now there are merge conflicts. The work that needs to be done is:
|
|
There's quite a bit of code here and it's not obvious to me why we need a separate |
|
So there is definitely some code here that can be trimmed down, but you still need some kind of flexible deserialization to cover these variables:
So you basically do need something like I think to make this less recursive and potentially more readable, you could pull out something like this into #[derive(Deserialize, Debug)]
struct ImpersonatedServiceAccountCredentials {Expand commentComment on line R112Code has comments. Press enter to view.
service_account_impersonation_url: String,
source_credentials: ServiceAccountOrUserAccount,
delegates: Vec<String>,
}
enum ServiceAccountOrUserAccount {
// ... tagged deserialization of service account or user account
}
// Actually deserialize this for your credential type
pub(crate) enum ServiceAccountOrImpersonatedServiceAccount {
// ... tagged deserialization of service account or impersonated service account
}In my PR, I combined both of these situations into a single recursive |
|
I actually might could do this change to my PR and re-push it if you think it would be a welcome change djc |
|
You added a bunch of code, seemingly duplicating a bunch of logic, which I'm not excited about. I'd be open to reviewing the very minimal changes I could facilitate to enable you to build this downstream, and then we can review whether it makes sense to support it as part of this project (which I think might make sense, but not in its current form). |
|
What changes would you be supportive of to make this work downstream? I am still interested in making this happen but I am not sure what you mean. |
3 participants
This PR adds service account impersonation. It uses a generic
Box<dyn ServiceAccount>to get the source token and then uses that token to refresh the impersonated account from theservice_account_impersonation_url.