We are trying to upload files to GCP bucket using the below cURL
curl -v --location --request POST 'https://storage.googleapis.com/upload/storage/v1/b/<bucketName>/o?uploadType=media&name=<path>' --header "Authorization: $AUTH_HEADER" --header 'Content-Type: application/java-archive' --data-binary '#'${OBJECT_NAME}
Currently we are generating AUTH_HEADER using gcloud auth print-access-token but this seems like a short lived token. Is there any way we can generate permanent token? Actually we are trying to automate upload process using CI/CD pipelines. If we could get a permanent access token we can encrypt and use it on the CI job itself.
access tokens are short lived by design. It comes back to the fact that access tokens are bearer tokens and will work for the bearer of the token until the token has expired with out any extra security checking. This means if you have a permeant access token and its stolen then the person stealing it is
Related
We have a Django application is hosted on GCP cloud run and sits behind IAP for user authentication. Our use case was to generate token on a local machine by a user and after getting the token. Followed IAP Programmatic authentication but was getting the following error.
Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (xxxxxxxx.apps.googleusercontent.com) doesn't match expected value (yyyyyyyy.apps.googleusercontent.com)
Expected result was a JSON response with token in it.
We solved the following issue by passing an 'audience' body param to the following code and tweaking original doc provided by GCP:
curl --verbose \
--data client_id=DESKTOP_CLIENT_ID \
--data client_secret=DESKTOP_CLIENT_SECRET \
--data code=AUTH_CODE \
--data redirect_uri=http://localhost:4444 \
--data audience=IAP_OAUTH_ID \
--data grant_type=authorization_code \
https://oauth2.googleapis.com/token
This IAP_OAUTH_ID is auto-generated by GCP when you turn on the IAP and is present under OAuth 2.0 Client IDs in APIs & services > Credentials section of GCP.
Our guess is when we try to generate token for IAP using our local machine without passing 'audience' in the body, it does generate token but for some other instance of IAP which obviously won't work with the one hosted on GCP, which is sitting in front of cloud run load balancer.
Therefore to make it work correct instance of IAP for which token is getting generated also has to be passed, which is done using the audience body param.
I am using SecretManager Service of GCP and is using client libraries to access secrets.
My prod and dev credentials are different.
If we want to use these client libraries, the service account file needs to exported as GOOGLE_APPLICATION_CREDENTIALS variable. This is required as GCP checks whether the exported service account has the required permission to access Secrets.
As of now, I provide these service account file in code and export them in makefile and Dockerfile before the start of the server
Now, I want to access the service account file too from the SecretManager and that can't be done using client Libraries.
I went through the best practices of Secret Manager and there it is not recommended to provide secrets via filesystem or environment variables as it is vulnerable to attacks
The only option that I can think of is to access this service account file secret by using secretManager curl API in dockerfile but that would be complex as I also have to decode the utf-8 secret using bash.
curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id/versions/version-id":access --request "GET" --header "authorization: Bearer $(gcloud auth print-access-token)" --header "content-type: application/json"
Is there any other best practice recommended for handling this situation?
curl -X "POST" "https://my.tapkey.com/api/v1/owners/xxx/grants/xxxx/revoke" \
-H 'Authorization: Bearer xxxx'
I get
{"Message":"The requested resource does not support http method 'POST'."}
I created a grant and I wanted to delete it because I was testing. I thought that revoke can be something similar. I guess I am wrong about the grant concept here.
Is there a way to delete grants?
Why the error message is telling me that the revoke endpoint does not support POST?
As specified in the documentation for this endpoint, you need to specify dryRun query parameter.
https://my.tapkey.com/api/v1/owners/xxx/grants/xxxx/revoke?dryRun=false
With gcloud I am logged into a terminal window with my email address, me#gmail.com. This project has the Gmail API enabled, and I am owner of this config. gcloud auth list shows
`Active Account`
`*me#gmail.com`
gcloud projects get-iam-policy $PROJECT shows that me#gmail.com as owner
I have an Oauth client/secret created in the project. My intent it to generate an access token to authenticate to the gmail API via the terminal with
`curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://gmail.googleapis.com/gmail/v1/users/me/labels`. (me is my actual email address)
Doing so gives me a 403. I can, however, use https://developers.google.com/oauthplayground/
and get a token with my particular scopes fine. Do I need to pass the Oauth Client Id to print-access-token? Why wouldn't owner have permissions over all possible actions in an API that's enabled?
EDIT: I have tried logging with auth application-default credentials as well with the same result.
TIA
You don't have the correct scope. You need to correctly scope your credential. Start by using this command to add the scope that you want in your credential
gcloud auth application-default login \
--scopes='https://mail.google.com/',\
'https://www.googleapis.com/auth/cloud-platform'
Then use the application-default access_token to call your service
curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
https://gmail.googleapis.com/gmail/v1/users/me/labels`. (me is my actual email address)
It should work better.
I want to be able to invoke a GloudRun endpoint by one of my GKE pods.
When I describe my VMs/instances that comprise my GKE cluster, I see
serviceAccounts:
- email: 873099409230-compute#developer.gserviceaccount.com
So I added the CloudRun Invoker role to the above service account.
I have enabled CloudRun with Authentication Required.
However when I exec to one of my pods and try to curl the endpoint I get 403 (which I also get from my laptop, but the later is expected).
Any suggestions?
Curl don't know Google Cloud security. I mean that cURL don't know how to add the security token to your request. For this, you have to explicitly add the token in the header of your request.
From my computer I use this, because it's my personal account which is defined in Gcloud SDK.
curl -H "Authorization: Bearer $(gcloud config config-helper --format='value(credential.id_token)')" <URL>
With a service account defined in gcloud, you can use this command
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <URL>
In both case you have to add the authorization header to your request.
In your code, if you use google libraries, you can use default credential, your default compute service-account will be used. cURL don't know do this!