-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
backend/gcs: Service Account Impersonation doesn't work if the original identity is another service account. #28139
Comments
If there's no bug against googleapis/google-cloud-go I'd suggest filing one, and linking it from here. I've got no big stake in which client library is used to call the GCS API personally, so if someone's working on the feature now it would make sense to switch to the google-go-api-client one. Otherwise, it'll be much easier to take in an upstream fix whenever that happens. |
Just circling back here as well. There is a new impersonate package landing soon being worked on in: googleapis/google-api-go-client#927. This will be first released into a preview tag. Once it lands in a mainline release I would recommend updating to use that package instead relying on the experimental client option. The new package is more flexible with setting scopes which I believe to be the cause of this reported issue. |
@codyoss Thanks for the update, I'll come back and patch this once that new package is released. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
I implemented service account impersonation a while back in #26700 and it works correctly if the original identity is a google user.
However, it doesn't work properly when you are using a Google Service Account as the original identity.
There is a bug present in how
cloud.google.com/go/storage
(modern/new client) handles ClientOptions supplied to a client but works correctly ingoogle.golang.org/api/storage/v1
(legacy/autogen client)Terraform Core uses the new client but TPG uses the legacy client.
PoC:
Terraform Logs:
@rileykarson @slevenick How do should we deal with this? Resolve it upstream at https://github.com/googleapis/google-cloud-go or shall I rewrite the gcs backend to use the legacy client?
We also need to bump golang.org/x/oauth2 to a newer version to resolve this hashicorp/terraform-provider-google#8671 in Terraform Core.
The text was updated successfully, but these errors were encountered: