[GODRIVER-2415] KMSProvider for GCP does not accept access_token for the service account email Created: 09/May/22  Updated: 06/Aug/22  Resolved: 06/Aug/22

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: ankur barua Assignee: Unassigned
Resolution: Duplicate Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates GODRIVER-2501 Add support for GCP attached service ... Closed
Related
is related to DRIVERS-2377 Add support for GCP attached service ... Closed
Case:

 Description   

Hi,

I am trying to do CSFLE using GCE's default Service Account. But, the KMSProvider for GCP is looking for the "privateKey" for the SA. Our GCP admin does not allow creating keys for SA as a security measure. 

As an alternative, can the driver accept the access token for the SA for authentication.

Thanks,

Ankur



 Comments   
Comment by Kevin Albertson [ 06/Aug/22 ]

Resolved by GODRIVER-2501.

Comment by Kevin Albertson [ 12/May/22 ]

Thank you for the feature request ankurbarua@gmail.com . This is a limitation in all drivers. The work to support GCP with attached service accounts is tracked in MONGOCRYPT-328. Please watch MONGOCRYPT-328 for updates.

Comment by Sam Stoelinga [ 09/May/22 ]

To add some more specifics, the request would be to not require a privateKey and have the go client get access tokens using the default SA from the GCE VM or e.g. when Workload Identity is used in GKE. 

 

This is required for customers that only allow using default SA credentials and have an org policy to prevent downloading SA keys. Here are more docs on this default SA: https://cloud.google.com/compute/docs/access/service-accounts#use-sas

"A user-managed service account can be attached to a Compute Engine instance to provide credentials to applications running on the instance. These credentials are used by the application for authentication to Google Cloud APIs, and authorization to access Google Cloud resources. "

 

Generated at Thu Feb 08 08:38:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.