diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml
index 71adb7ebd..4d1ea902f 100644
--- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml
+++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml
@@ -136,7 +136,7 @@ jobs:
BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }}
- name: Generate Trivy vulnerability scan report
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.12.0
if: inputs.publish_vulnerabilities == 'true'
with:
image-ref: ${{ steps.meta.outputs.tags }}
@@ -154,7 +154,7 @@ jobs:
sarif_file: 'trivy-results.sarif'
- name: Test with Trivy vulnerability scanner
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.12.0
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'table'
diff --git a/pom.xml b/pom.xml
index 2f83d5f54..56caf04c2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,8 +21,8 @@
1.5.0-676519b018
1.1.0
1.4.0-2195ee834a
- 1.3.4-649b0b4f7f
- 5.15.0-5e9fa2fc04
+ 1.4.2-dd1920710d
+ 5.16.0-a72b7d9dd1
${project.version}
diff --git a/scripts/gcp-oidc/entrypoint.sh b/scripts/gcp-oidc/entrypoint.sh
index 83d4c039e..ecd69ea7f 100644
--- a/scripts/gcp-oidc/entrypoint.sh
+++ b/scripts/gcp-oidc/entrypoint.sh
@@ -8,20 +8,7 @@ if [ -z "${API_TOKEN_SECRET_NAME}" ]; then
exit 1
fi
-GCP_TOKEN=$(wget "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -q --header "Metadata-Flavor: Google" -O - | jq -e -r ".access_token")
-if [ $? -ne 0 -o -z "${GCP_TOKEN}" ]; then
- echo "Failed to get GCP token"
- exit 1
-fi
-
-API_TOKEN=$(wget "https://secretmanager.googleapis.com/v1/${API_TOKEN_SECRET_NAME}:access" -q --header "authorization: Bearer ${GCP_TOKEN}" --header "content-type: application/json" -O - | jq -e -r ".payload.data" | base64 -d)
-if [ $? -ne 0 -o -z "${API_TOKEN}" ]; then
- echo "Failed to get API token"
- exit 1
-fi
-
-export core_api_token="${API_TOKEN}"
-export optout_api_token="${API_TOKEN}"
+export gcp_secret_version_name="${API_TOKEN_SECRET_NAME}"
# -- locate config file
if [ -z "${DEPLOYMENT_ENVIRONMENT}" ]; then
diff --git a/src/main/java/com/uid2/operator/Const.java b/src/main/java/com/uid2/operator/Const.java
index 3e00e9c47..3cd1e8409 100644
--- a/src/main/java/com/uid2/operator/Const.java
+++ b/src/main/java/com/uid2/operator/Const.java
@@ -19,5 +19,6 @@ public class Config extends com.uid2.shared.Const.Config {
public static final String AzureVaultNameProp = "azure_vault_name";
public static final String AzureSecretNameProp = "azure_secret_name";
+ public static final String GcpSecretVersionNameProp = "gcp_secret_version_name";
}
}
diff --git a/src/main/java/com/uid2/operator/Main.java b/src/main/java/com/uid2/operator/Main.java
index 5726d1d5c..f36150314 100644
--- a/src/main/java/com/uid2/operator/Main.java
+++ b/src/main/java/com/uid2/operator/Main.java
@@ -500,6 +500,10 @@ private IOperatorKeyRetriever createOperatorKeyRetriever() throws Exception {
var secretName = this.config.getString(Const.Config.AzureSecretNameProp);
return OperatorKeyRetrieverFactory.getAzureOperatorKeyRetriever(vaultName, secretName);
}
+ case "gcp-oidc": {
+ var secretVersionName = this.config.getString(Const.Config.GcpSecretVersionNameProp);
+ return OperatorKeyRetrieverFactory.getGcpOperatorKeyRetriever(secretVersionName);
+ }
default: {
throw new IllegalArgumentException(String.format("enclave_platform is providing the wrong value: %s", enclavePlatform));
}