Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

github.com/googlecloudplatform/professional-services/tools/spiffe-gcp-proxy

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/googlecloudplatform/professional-services/tools/spiffe-gcp-proxy

  • v0.0.0-20241209154754-a553464c0253
  • Source
  • Go
  • Socket score

Version published
Created
Source

SPIFFE GCP Proxy

This is a simple GOLANG application that provides an Auth proxy for On-Prem workloads that want to use Google Cloud Platform APIs, using SPIFFE and Workload Identity Federation.

Secure Production Identity Framework for Everyone SPIFFE is a framework defined by the Cloud Native Computing Foundation, that solves the security and identity challenges for workloads.

The workflow this proxy implements executes the following steps:

  1. The workload requests a GCP Auth token via http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/<sa>/token.
  2. The proxy requests a JSON Web Token (JWT) from the local Spire Agent.
  3. The Spire Agents requests the JWT from the Spire Server.
  4. The proxy takes the SPIFFE JWT and requests a new token from the Security Token Service (STS) API.
  5. STS verifies that the passed SPIFFE JWT is valid, by verifiying the issuer by retrieving the .well-known/openid-configuration and the JWKS.
  6. STS creates and passes back an access token. This token can only be used to impersonate a service account.
  7. The proxy requests a service account access token using the "impersonation token".
  8. The proxy responds to the workload with the GCP IAM access token for the service account.
  9. The workload can use the access token to authenticate and authorize against Google Cloud APIs.

Setup and Running

This tool requires a working SPIFFE setup with OIDC enabled (see the SPIRE getting started and setup the OIDC discovery provider). You also have integrated your SPIRE setup with Workload Identity Federation by creating a pool and provider.

The tool assumes that there is a GCP IAM Service Account that can be impersonated from the SPIFFE identity. This means you need to add a IAM policy binding for the SPIFFE ID:

gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
    --role=roles/iam.workloadIdentityUser \
    --member="principal://iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<workload_pool_id>/subject/<SPIFFE_ID>"

The proxy would run on a VM alongside a Spire agent. At the moment it's not possible to pass the identity of an application or process to the proxy, hence the proxies SPIFFE ID needs to be configured for impersonation in GCP IAM. In order to use the proxy from GCloud SDK or Google Cloud libraries, you should map metadata.google.internal to 127.0.0.1 in the VMs /etc/hosts file.

After the proxy is setup you can just retrieve a GCP access token like you used to. This should work with proxy like gcloud, gsutil, ... or using curl with:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

In order to run the proxy will need to checkout the sources and use go build main.go to build the proxy. Afterwards you can run the binary but you will need to pass the required configuration via command line. See the full table of options below.

Proxy Configuration Parameters

NameDefaultDescription
bind:8080Bind address, for a production scenario this would be :80
spiffe_urlhttp://localhost:8081SPIFFE Server URL
spiffe_agent_socket_pathunix:///tmp/spire-agent/public/api.sockSPIFFE Agent Socket Path
service_accountGCP IAM Service Account to impersonate (required)
projectIdGCP Project ID of the project to use (required)
projectNumberGCP Project Number of the project to use (required)
providerIdProvider ID of the Workload Identity provider to use (required)
poolIdPool ID of the Workload Identity Pool to use (required)
scopehttps://www.googleapis.com/auth/cloud-platformScope to request from GCP, e.g. https://www.googleapis.com/auth/cloud-platform

FAQs

Package last updated on 09 Dec 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc