New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCP Native Authentication Method #1800
Conversation
backend/src/services/identity-gcp-auth/identity-gcp-auth-fns.ts
Outdated
Show resolved
Hide resolved
backend/src/services/identity-gcp-auth/identity-gcp-auth-fns.ts
Outdated
Show resolved
Hide resolved
}); | ||
|
||
const identityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => { | ||
const doc = await identityGcpAuthDAL.create( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how come we don't do a check to make sure that the user enters at least one filter? From reading your PR description it sounds like Google will allow say if the the identity auth token is valid which means that with no filters anyone can send any valid token and get access. Let me know if i misunderstood something
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's correct. If no filters are specified, then it will allow any GCP entity with a valid ID token to authenticate as the corresponding identity in Infisical; in the current iteration it would be on the operator for configuring it this way.
The configuration is intentionally left optional for all the filters so users can define whichever combination that they wish (for GCP IAM Auth it would be necessary in practice to specify allowed service accounts but for GCP ID Token Auth it wouldn't); we can alternatively enforce more granularly that IF the type
is IAM Auth then allowed service accounts must be non-empty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should make it so that at least one filter is applied or at least mention in the docs that when you don't apply a filter, anyone can access your identity. I have a feeling that people might misunderstand so would be good to remind them just in case. Maybe you can do this in a separate commit in the docs for now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left one comment for clarification
Description 📣
This PR adds the new GCP native authentication method to Identities consisting of GCP ID Token Auth and GCE IAM Auth.
With this method, GCP resources avoid secret zero by not needing to store an additional token to authenticate with Infisical. Instead, they can use credentials/metadata already present in GCP to prove their identity to Infisical — this works by relaying an identity / signed JWT token through Infisical to be verified by the public key returned from the GCP API; if successful and certain allow conditions are met, then the entity is considered authenticated and an access token granting access to the Infisical API is returned.
Workflow for GCP ID Token Auth:
/api/v1/auth/gcp-auth/login
endpoint also containing theidentityId
that they are authenticating as (in practice this would likely be done via SDK or other client but it can also be done manually).Workflow for GCP IAM Auth:
/api/v1/auth/gcp-auth/login
endpoint also containing theidentityId
that they are authenticating as (in practice this would likely be done via SDK or other client but it can also be done manually).https://www.googleapis.com/service_accounts/v1/metadata/x509/
endpoint.Note 1: The GCP authentication method will require additional engineering work for clients like Infisical Agent and SDKs to support it.
Note 2: The GCP authentication method requires a network connection from Infisical to GCP to verify the signed service account JWT token.
Type ✨