New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(internaloption): add AllowNonDefaultServiceAccount internaloption #1127
feat(internaloption): add AllowNonDefaultServiceAccount internaloption #1127
Conversation
@mohanli-ml Is there an AIP or design doc for this? I lack the context for this change. |
@mohanli-ml Following up on Cody's comment... Is this something we can enable across all APIs? Why do we need an option for it? |
Sorry for the late response. This option is proposed to solve the conflict that DirectPath only support the default service account, while currently in GCP non-default service account is largely used. We:
This option should not be enabled before the service owners talk to the MDB group directpath-security-reviews and get their approval. See details in https://docs.google.com/document/d/1DgKCBcmz3J0OjbpO0BZBrwQIm3LrDBs8t9AS67NG0z4/edit#heading=h.qkiqy0p84mi8. |
@@ -138,7 +138,7 @@ func dial(ctx context.Context, insecure bool, o *internal.DialSettings) (*grpc.C | |||
// * The endpoint is a host:port (or dns:///host:port). | |||
// * Credentials are obtained via GCE metadata server, using the default | |||
// service account. | |||
if o.EnableDirectPath && checkDirectPathEndPoint(endpoint) && isTokenSourceDirectPathCompatible(creds.TokenSource) && metadata.OnGCE() { | |||
if o.EnableDirectPath && checkDirectPathEndPoint(endpoint) && isTokenSourceDirectPathCompatible(creds.TokenSource, o) && metadata.OnGCE() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
&& (o.AllowNonDefaultServiceAccount || isTokenSourceDirectPathCompatible(creds.TokenSource))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry it seems this comment will change the functionality. For example if creds.TokenSource
is nil
, then isTokenSourceDirectPathCompatible(creds.TokenSource, o)
will be false
, but (o.AllowNonDefaultServiceAccount || isTokenSourceDirectPathCompatible(creds.TokenSource))
could be true
if o.AllowNonDefaultServiceAccount
is true.
LGTM, just a nit |
Add an internal option AllowNonDefaultServiceAccount for cloud services to bypass the check that credential must be retrieved from the metadata server and must use the default service account. In this way, non-default service account can be used for DirectPath.