From 6a6de9d6054158f3a7700587bb71e8c7af25f27a Mon Sep 17 00:00:00 2001 From: Darren Dowker Date: Tue, 17 Sep 2024 11:30:41 -0700 Subject: [PATCH] add support for external_account in another location --- broker/client/reader.go | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/broker/client/reader.go b/broker/client/reader.go index ea912d8d..f31ccbbc 100644 --- a/broker/client/reader.go +++ b/broker/client/reader.go @@ -3,6 +3,7 @@ package client import ( "bufio" "context" + "encoding/json" "crypto/tls" "errors" "fmt" @@ -500,6 +501,11 @@ func (s *gcsBackend) open(ctx context.Context, ep *url.URL, fragment pb.Fragment return gClient.Bucket(cfg.bucket).Object(cfg.rewritePath(cfg.prefix, fragment.ContentPath())).NewReader(ctx) } +/ to help identify when JSON credentials are an external account used by workload identity + type credentialsFile struct { + Type string `json:"type"` + } + func (s *gcsBackend) gcsClient(ep *url.URL) (cfg GSStoreConfig, client *storage.Client, err error) { var conf *jwt.Config @@ -522,7 +528,18 @@ func (s *gcsBackend) gcsClient(ep *url.URL) (cfg GSStoreConfig, client *storage. creds, err := google.FindDefaultCredentials(ctx, storage.ScopeFullControl) if err != nil { return - } else if creds.JSON != nil { + } + + // best effort to determine if JWT credentials are for external account + externalAccount := false + if creds.JSON != nil { + var f credentialsFile + if err := json.Unmarshal(creds.JSON, &f); err == nil { + externalAccount = f.Type == "external_account" + } + } + + if creds.JSON != nil && !externalAccount { conf, err = google.JWTConfigFromJSON(creds.JSON, storage.ScopeFullControl) if err != nil { return