Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug in ExternalAccess class #605

Open
mruell opened this issue Feb 4, 2025 · 1 comment
Open

Bug in ExternalAccess class #605

mruell opened this issue Feb 4, 2025 · 1 comment

Comments

@mruell
Copy link

mruell commented Feb 4, 2025

Hi team!

The issue below is currently blocking us from using the servcie account impersonalisation together with the workload identity federation.

We would be really happy if you coul look into that. Thanks!

Environment details

  • OS: tested with MacOS and Linux
  • PHP version: 8.4
  • Package name and version: google/auth v1.45.3 (via packagist)

Steps to reproduce

Using federated workload access, with serviceaccount impersonalisation

Code example

Env

GOOGLE_APPLICATION_CREDENTIALS=/etc/workload-identity/credential-configuration.json

/etc/workload-identity/credential-configuration.json is

{
  "universe_domain": "googleapis.com",
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/xxx/locations/global/workloadIdentityPools/xxx/providers/xxx",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "file": "/var/run/service-account/token",
    "format": {
      "type": "text"
    }
  },
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
}

What happens

Every, but the first call to any google API will not use the impersonated service account and thus calls will fail with permission denied.

Description

The getLastReceivedToken method in the ExternalAccountCredentials class does not return the last received token, if $this->serviceAccountImpersonationUrl is beeing used.

The RequestWrapper that is beeing used by almost all official gcp client libraries will enforce the credential fetchers to be wrapped in a FetchAuthTokenCache instance.

The FetchAuthTokenCache instace will use updateMetadata to inject the access tokens in e.g. http calls. To do that it's using fetchAuthTokenFromCache to fetch the cache. But using getLastReceivedToken to get the token to cache.

Since getLastReceivedToken does not return the service account token, every call but the first, will not use the service account token and thus this functionality will fail.

I'd be really happy if you could look into this :)

Thanks a lot in advance and best,
Marvin
@mruell
Copy link
Author

mruell commented Feb 4, 2025

I already opened a PR that should solve this issue
#604

@mruell mruell mentioned this issue Feb 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mruell