[GODRIVER-2415] KMSProvider for GCP does not accept access_token for the service account email Created: 09/May/22 Updated: 06/Aug/22 Resolved: 06/Aug/22 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | ankur barua | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||
| Description |
|
Hi, I am trying to do CSFLE using GCE's default Service Account. But, the KMSProvider for GCP is looking for the "privateKey" for the SA. Our GCP admin does not allow creating keys for SA as a security measure. As an alternative, can the driver accept the access token for the SA for authentication. Thanks, Ankur |
| Comments |
| Comment by Kevin Albertson [ 06/Aug/22 ] |
|
Resolved by |
| Comment by Kevin Albertson [ 12/May/22 ] |
|
Thank you for the feature request ankurbarua@gmail.com . This is a limitation in all drivers. The work to support GCP with attached service accounts is tracked in |
| Comment by Sam Stoelinga [ 09/May/22 ] |
|
To add some more specifics, the request would be to not require a privateKey and have the go client get access tokens using the default SA from the GCE VM or e.g. when Workload Identity is used in GKE.
This is required for customers that only allow using default SA credentials and have an org policy to prevent downloading SA keys. Here are more docs on this default SA: https://cloud.google.com/compute/docs/access/service-accounts#use-sas "A user-managed service account can be attached to a Compute Engine instance to provide credentials to applications running on the instance. These credentials are used by the application for authentication to Google Cloud APIs, and authorization to access Google Cloud resources. "
|