Better way to authenticate kubernetes provider to use this module

[yashbhutwala]

The current recommended way to authenticate kubernetes provider in order to use this module is with "google_client_config" data resource. However, using this data resource means that the token generated by this resource is stored in Terraform state in plain text. I'm looking for recommendations or suggestions for alternative ways to authenticate the kubernetes provider that does not rely on storing sensitive auth information in TF state. Any ideas welcome, thanks!

# google_client_config and kubernetes provider must be explicitly specified like the following.
data "google_client_config" "default" {}

provider "kubernetes" {
  host                   = "https://${module.gke.endpoint}"
  token                  = data.google_client_config.default.access_token
  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}

Relevant Resources:

• remove data google_client_config from all modules as it is no longer used within modules #875
• https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config
• https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication

[morgante]

The token should be short-lived, so the exposure is somewhat limited.

That being said, you should generally assume that Terraform state is sensitive and needs to be locked down.

[yashbhutwala]

@morgante you're right, and I knew that, I was hoping for some alternatives to not storing it in the state 😃.

At the very least, I think maybe the documentation can be improved with respect to:

1. token will be stored in TF state (maybe both in provider and this module docs)
2. how long will the token be valid for? (I think 1 hour, but I didn't see anything in either GKE or terraform docs) Also, is there way to configure the duration? (i.e.: something similar to https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/service_account_access_token#lifetime)

Thoughts? I can send up PRs if needed.

[morgante]

Yes, 1 hour. A PR to explain this more would be appreciated.

[bharathkkb]

@yashbhutwala just an idea but IIRC google_client_config just exposes the token generated by the provider. Instead you could use service_account_access_token to generate another access_token that is time boxed and is only used to auth the kubernetes provider. Assuming the original SA that TF is using has tokenCreator permissions on this new SA, the token gets created, valid for a specific lifetime as defined in your config.

data "google_service_account_access_token" "default" {
  target_service_account = "foo-cluster-admin@project.iam.gserviceaccount.com"
  scopes                 = ["cloud-platform"]
  lifetime               = "10s"
}
provider "kubernetes" {
  host                   = "https://${module.gke.endpoint}"
  token                  = data.google_service_account_access_token.default.access_token
  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days