iapclient

package module
v0.0.0-...-06e0afa Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 4, 2021 License: Apache-2.0 Imports: 14 Imported by: 0

README

iapclient

iapclient is a library to facilitate programmatic service-account authentication to endpoints protected by Google Cloud Platform's Identity Aware Proxy

See the ./examples directory for how to use this.

Before using:

  1. Set permissions "appropriately"
    • roles/iam.serviceAccountTokenCreator on the Service Account's own Service Account (yes, really - it's required for signBlob to work)
    • roles/iap.httpsResourceAccessor on the target project where the IAP-protected resource is
  2. Collect the target URI and Client ID

In summary, iapclient.NewIAP returns an http.RoundTripper that can be set as your http.Client's transport:

iap, err := iapclient.NewIAP("client-id", nil)
if err != nil {
    log.Fatalf("Failed to create new IAP object: %v", err)
}

httpClient := &http.Client{
    Transport: iap,
}

req, err := http.NewRequest("GET", "some uri", nil)
...

Why

IAP-protected resources use a weird OAuth flow that's extremely fluid for web-browser based human clients, but quite awkward to authenticate to as a service account.

What this library does

The upstream documentation for this process is Authentication Howto

The high-level summary is:

  1. Create a custom JWT with fields
    • exp - Epoch time 1 hour in the future
    • aud - https://www.googleapis.com/oauth2/v4/token
    • iss - Service Account email (get from JSON or metadata service)
    • iat - Current epoch time
    • target_audience - IAP OAuth ClientID (must be gotten manually)
  2. Use the projects.serviceAccounts.signJwt method to have Google sign the JWT as your service account. This is done instead of using the private key because Application Default Authentication does not have the private key unless a JSON file is in use, and implementing both seemed silly.
  3. Do a POST to the OAuth Token URI (https://www.googleapis.com/oauth2/v4/token) Body should have the following fields:
    • assertion - the signed JWT gotten back from signJwt
    • grant_type - urn:ietf:params:oauth:grant-type:jwt-bearer
  4. Use the returned string for authentication by adding Authorization: Bearer <string> to the IAP-directed request

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	HTTPClient *http.Client
	Transport  http.RoundTripper
	// In the event that you happen to be using this in Cloud Builder, you'll
	// need to override the email address used for signing the JWT as Cloud
	// Builder's service account can't use the signJwt API endpoint for
	// $REASONS (it's a 500 and Google says it's not supported)
	SignerEmail string
}

Config stores parameters optional for NewIAP

type IAP

type IAP struct {
	sync.Mutex
	// contains filtered or unexported fields
}

IAP struct to represent the latest retrieved auth details

func NewIAP

func NewIAP(cid string, config *Config) (*IAP, error)

NewIAP creates a new IAP object to fetch and refresh IAP authentication

func (*IAP) GetToken

func (iap *IAP) GetToken(ctx context.Context) (token string, err error)

GetToken refreshes the token if necessary, and returns it

func (*IAP) RoundTrip

func (iap *IAP) RoundTrip(req *http.Request) (resp *http.Response, err error)

RoundTrip makes the IAP object into a valid http.Transport interface

Directories

Path Synopsis
examples

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL