Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCP PS1 Prompt Support for GCP Accounts and Projects #926

Open
RoseSecurity opened this issue Feb 29, 2024 · 1 comment
Open

GCP PS1 Prompt Support for GCP Accounts and Projects #926

RoseSecurity opened this issue Feb 29, 2024 · 1 comment

Comments

@RoseSecurity
Copy link
Member

Feature Request

I know that Geodesic tends to lean more into the AWS landscape, but would y’all consider offering some GCP PS1 prompt support for GCP accounts like:

function role_name() {
    local role_name
    # Could be a primary or assumed role. If we have assumed a role, cut off the session name.
    local current_role=$(gcloud auth list --filter=status:ACTIVE --format="value(account)" 2>/dev/null | cut -d '@' -f1)
    if [[ -z $current_role ]]; then
        unset ASSUME_ROLE
        return 0
    fi
    export ASSUME_ROLE="$current_role"
}
role_name

From my understanding, GCP has a few different authentication flows, but when it comes to the credentials used by SDK tools like gcloud or gsutil, they are stored in a DB file located at ~/.config/gcloud/credentials.db. Whenever someone runs gcloud auth login, it appends an entry to this file. I also found credentials inside of access_tokens.db, and was able to extrapolate them using Sqlite.

When I look in ~/.config/gcloud/configurations/config_default :

I see:

[core]
account = [michael@gmail.com](mailto:michael@gmail.com)
project = projectexample
@Nuru
Copy link
Contributor

Nuru commented Mar 24, 2024

I would be in favor of supporting GCP prompts along the same lines as we support AWS prompts. Standing in the way:

  • Cloud Posse does not have a sponsor to support the work. This is not always a requirement, but it definitely helps, both in providing resources and in providing feedback on proposed solutions.
  • Cloud Posse does not have a GCP workflow or authentication scheme in its reference architecture, making it unclear what GCP support should actually look like. The AWS support is quite complicated because of the various sources of identity and the numerous reasons to assume different AWS IAM roles and the differing ways to assume them. It is extra complicated because of legacy support for deprecated and obsolete workflows, which should not be carried forward to GCP support.
  • The existing prompt support for AWS roles is very complicated. I would not expect a contributor to understand all the intricacies and would not trust a contributor PR to provide GCP support.
  • Cloud Posse does not have any kind of established way to test the prompts. The AWS prompts were developed through continuous feedback from customers, but we do not have established relationships with GCP users to provide adequate feedback.

I will leave this issue open and we may at some point undertake to provide the feature, but I would not estimate it happening anytime soon. My best recommendation for now is that GCP users look at the existing AWS support, ignoring in particular the support for aws-vault and the expectation that a primary use case is launching a sub-shell with a different assumed role, and use the existing customization options to craft your own solution.

If you feel you have something robust enough to share, I will consider a PR, but you should craft your PR in a way that other GCP users can adopt it into their custom Geodesic images before the PR is merged and without having to fork the repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Nuru @RoseSecurity