-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC auth token for Cloud Run services requiring authentication #61
Conversation
Adding faraday dependency to use as an http client
Adding oidc_enabled flag to add feature for authenticated google cloud run services
Adding oidc_token feature for google cloud run services that require authentication
Moved method into class
moved method to class
To meet rubocop specs
Added missing error constant, fixed layout and styling to meet rubocop spec
Fix trailing whitespace to meet rubocop spec
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @emerson-argueta thanks for tackling this issue, I'm sure a lot of people will find it useful 🎉
Just a couple of questions:
- Did you test this change end to end (using Cloud Run for example)? I will test it as well on my side to double check any edge case
- I'm surprised you have to fetch the oidc token manually. Are you sure the GCP ruby SDK doesn't provide a prebuilt function for that?
lib/cloudtasker/authenticator.rb
Outdated
@@ -51,5 +58,19 @@ def verify(bearer_token) | |||
def verify!(bearer_token) | |||
verify(bearer_token) || raise(AuthenticationError) | |||
end | |||
|
|||
def oidc_token | |||
google_metadata_server_url = 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of manually retrieving an OIDC token from the metadata server, isn't there a prebuilt function in the GCP Ruby SDK to do so? (I haven't looked it up yet)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I was able to research, I did not find a function in the Ruby SDK to fetch the token. Here are some relevant links that I used to try to find the answer:
- https://cloud.google.com/run/docs/authenticating/service-to-service#run-service-to-service-example-go
- https://cloud.google.com/ruby/docs/reference/google-cloud-binary_authorization/latest
In the first link, you can see that certain languages have a function to fetch the token and Ruby is not included.
The second links shows all the Ruby GCP libraries. I did not find anything relevent there unless by mistake I did not see it.
Because I couldn't find a library I decided to use manually retrieve the token as described at the end of the page in the first link.
lib/cloudtasker/config.rb
Outdated
# | ||
# @return [Boolean] Flag to enable oidc. | ||
# | ||
def oidc_enabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@oidc_enabled || false
doesn't add much value. You can just add oidc_enabled
as an accessor - similar to store_payloads_in_redis
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback, will make sure to do this change,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To answer the first question: I manually tested using one of my rails services ( which can only be called through authenticated requests ) on google cloud run by:
- Adding the library to my rails project fetching it from my forked repository
- Setting the oidc_enable to true in the cloudtasker initializer of my rails project
- Calling an endpoint on the rails service through Postman that triggers a cloudtasker worker
Although I was able to successfully run the worker from my rails service, I did not create an integration test. Again, thanks for the feedback and I really appreciate the work done on this library.
Refactor oidc_enabled as an accessor
Update description of oidc token fetch error
Alright so I've been digging a bit more into OIDC authentication on GCP and I don't believe this approach will work due to how OIDC tokens expire. The concept of OIDC auth with Cloud Run + Cloud Tasks is that:
Then what happens is:
So in order to support OIDC authentication, we need to do the following:
Let me know if that makes sense. Happy to take your view on it 😃 PS: Back onto our previous discussion regarding the metadata server - and having digged into the docs a bit more - I think you can use |
Greatly appreciate the feedback and the time spend on it. Just to make sure I understand, in order to support OIDC authentication we need to:
I hope I understood all this correctly. Again thanks for taking the time to investigate this. 🙂 I think I could make the changes using this approach outlined in the previous comment. |
@emerson-argueta Sorry for the late reply. Your understanding is correct. Don't hesitate to ping me for help or intermediate reviews as you progress! 👍 |
Just as an update, I recently did some investigations with the GCP team on how to best use OIDC tokens manually in Ruby. I've summarized my approach in this gist: https://gist.github.com/alachaum/e8052d37a5584ad3f5ee37a8cbfe1492 The Just to say I haven't forgotten about this PR 😊 |
Thanks, for looking further into this. It's been a while since I last worked on this but I will certainly take a look again. 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Going to merge this and do the final tweaks on my side.
As mention in issue #28, currently google cloud run services that require authentication cannot currently use cloudtasker.
These 3 commits included in the pull request aim to add the oidc auth token feature to cloudtasker.
In these commits the following changes are added