Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service account impersonation does not work with kmsp11 #36

Open
richardkazuomiller opened this issue Aug 13, 2024 · 1 comment
Open

Service account impersonation does not work with kmsp11 #36

richardkazuomiller opened this issue Aug 13, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@richardkazuomiller
Copy link

We planned on controlling access to our keys by giving access to a service account and having developers impersonate that service account to authenticate to KMS but kmsp11 does not recognize the credential json file format. The output is the same as if there was no credential file at all.

$ gcloud auth application-default login --impersonate-service-account $SERVICE_ACCOUNT
$ openssl req -new -x509 -days 90000 -config /opt/cert.conf -keyform engine -engine pkcs11 -key pkcs11:object=${KEY_NAME} -out /opt/${KEY_NAME}.x509.pem
engine "pkcs11" set.
kmsp11 failure occurred prior to library initialization: returning 0x30 from C_Initialize due to status INVALID_ARGUMENT: Invalid credentials. [type.googleapis.com/kmsp11.StatusDetails='CK_RV=0x30']
Unable to load module /opt/libkmsp11.so
Could not create log file: File exists
COULD NOT CREATE LOGFILE '20240813-090328.1200'!
kmsp11 failure occurred prior to library initialization: returning 0x30 from C_Initialize due to status INVALID_ARGUMENT: Invalid credentials. [type.googleapis.com/kmsp11.StatusDetails='CK_RV=0x30']
Unable to load module /opt/libkmsp11.so
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140190594036160:error:82065030:PKCS#11 module:pkcs11_check_token:Device error:p11_load.c:88:
140190594036160:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key

The credential file looks like this

{
  "delegates": [],
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
  "source_credentials": {
    "account": "",
    "client_id": "XXXXXX.apps.googleusercontent.com",
    "client_secret": "YYYYYYYY",
    "refresh_token": "1//ZZZZZZZZ",
    "type": "authorized_user",
    "universe_domain": "googleapis.com"
},
  "type": "impersonated_service_account"
}

We're falling back to a persistent service account key shared by all developers but it would be better if we can enforce authentication for each individual developer instead of having a shared key floating around.
@tdbhacks
Copy link
Member

Thanks for flagging this! I've reproduced on my end and forwarded this question internally to the gRPC team. This seems like a valid workflow to me, I wonder if this documentation section and the fact that C++ is not listed has anything to do with it: https://cloud.google.com/docs/authentication/use-service-account-impersonation#adc

I've asked them if we need to tweak something in our own library

@tdbhacks tdbhacks added the bug Something isn't working label Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@richardkazuomiller @tdbhacks