GCP service account identity tokens for workload federation and svc account json

[salrashid123]

While updating docs for gcp based signing in sigstore/docs#416, i noticed that plain service account JSON and and GCP workload federation JSON files are not supported.

I'm not submitting a pull request related to that because i suspect its very rare usecase. In the event this does come up, the snippet below shows the changes i used to make it work for the various credential types on gcp

Basically, GCP credentials can bootstrap from a number of different ways ( metadata server, user auth, impersonation, svcaccount JSON, workload federation JSON).

When using google application defautl credentials, you can "just reference" a JSON file which can within it contain other credentials like

• "type": "service_account", << not really recommended
• "type": "external_account", <<< this will allow bootstrap from any environment aws,azure, onprem to acquire a gcp creds to cosign
• "type": "impersonated_service_account", << really rare and already implicitly supported in cosign

currently, cosign doens't use the JSON file based credentials values to acquire id_tokens. and bit below describes one way to do this.

ServiceAccount JSON

• https://docs.cloud.google.com/iam/docs/service-account-creds

Note, this credential reference actually includes the RSA key material...its not recommended to save keys like this but it is one of the types supported

eg:

$ cat  /path/to/svc_account.json | jq '.'
{
  "type": "service_account",
  "project_id": "yourproject",
  "private_key_id": "5a4faca2018redactedbfdbbf071293615a54fb1111111",
  "private_key": "-----BEGIN PRIVATE KEY-----redacted\n-----END PRIVATE KEY-----\n",
  "client_email": "yoursa@yourproject.iam.gserviceaccount.com",
  "client_id": "102752075963180111111",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/yoursa%40yourproject.iam.gserviceaccount.com",
  "universe_domain": "googleapis.com"
}

to use this mode, set the env var to bootstrap off of the credentials and it'll automatically acqurie an id_token

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/svc_account.json
$ go run cmd/cosign/main.go sign-blob     --bundle /tmp/artifact.sigstore.json /tmp/message.txt

the cert will have the SAN:

           X509v3 Subject Alternative Name: critical
                email:yoursa%40yourproject.iam.gserviceaccount.com
            1.3.6.1.4.1.57264.1.1: 
                https://accounts.google.com

External Account

GCP workload federation configs has an optional step to assume a user's credentials here: https://docs.cloud.google.com/iam/docs/workload-identity-federation#impersonation

for a standalone test example using an oidc provider here:

• Setup OIDC Federation

• sts-creds.json

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/9950811111/locations/global/workloadIdentityPools/fake-oidc-pool-1/providers/fake-oidc-provider-1",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "file": "/tmp/oidccred.txt"
  },
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/oidc-federated@yourproject.iam.gserviceaccount.com:generateAccessToken"
}

then allow the federated creds to impersonate

gcloud iam service-accounts add-iam-policy-binding oidc-federated@core-eso.iam.gserviceaccount.com  \
      --role roles/iam.serviceAccountTokenCreator   \
        --member "principal://iam.googleapis.com/projects/995081019036/locations/global/workloadIdentityPools/fake-oidc-pool-1/subject/alice@domain.com"

then set the env var and run

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/sts-creds.json

the cer'ts SAN is:

            X509v3 Subject Alternative Name: critical
                email:oidc-federated@yourproject.iam.gserviceaccount.com
            1.3.6.1.4.1.57264.1.1: 
                https://accounts.google.com

Impersonation

While the cosign docs already describes impersonation, this mechanism uses the JSON file based approach:

With the following, your local user credentials is used to impersonate the SA which intrun gets its id_token via IAM APIs.

1. login as yourself or any other way

gcloud auth application-default login

$ cat /home/srashid/.config/gcloud/application_default_credentials.json 
{
  "account": "",
  "client_id": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com",
  "client_secret": "d-FL95Q19q7MQmFpd7hHD0Ty",
  "quota_project_id": "core-eso",
  "refresh_token": "--redacted--",
  "type": "authorized_user",
  "universe_domain": "googleapis.com"
}

( opitonally delete the creds rm /home/srashid/.config/gcloud/application_default_credentials.json )

then specify the impersonated_creds.json file with the values in adc (this represents your user account as the source credentials; the source_credentails can also be another service account...)

$ cat /path/to/impersonated_creds.json 
{
  "type": "impersonated_service_account",
  "service_account_impersonation_url":  "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/yorusvcaccount@your_project.iam.gserviceaccount.com:generateAccessToken",
  "source_credentials": {
    "account": "",
    "client_id": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com",
    "client_secret": "d-FL95Q19q7MQmFpd7hHD0Ty",
    "quota_project_id": "your_project",
    "refresh_token": "redacted",
    "type": "authorized_user",
    "universe_domain": "googleapis.com"
  }
}

to allow this mechansim, your user needs to impersonate the serrvice account and that service account needs to get its id_token.

### allow user->impersonate sa
gcloud iam service-accounts add-iam-policy-binding cosign-svc-account@yourproject.iam.gserviceaccount.com  \
      --role roles/iam.serviceAccountTokenCreator   \
        --member "user:`gcloud config get-value core/account`"
        
### allow sa self impersonation just for id_token generation
gcloud iam service-accounts add-iam-policy-binding cosign-svc-account@yourproject.iam.gserviceaccount.com  \
      --role roles/iam.serviceAccountOpenIdTokenCreator   \
        --member "serviceAccount:cosign-svc-account@your.iam.gserviceaccount.com"

(the second level of impersonation is required because the client library right now assumes the active credetnials for the impersonated sa w/o knowing about its actual source. that could be an upstream improvement in google creds...)

to use

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/impersonated_creds.json
go run cmd/cosign/main.go sign-blob   --bundle /tmp/artifact.sigstore.json /tmp/message.txt

the cert has SAN:

            X509v3 Subject Alternative Name: critical
                email:cosign-svc-account@yourproject.iam.gserviceaccount.com
            1.3.6.1.4.1.57264.1.1: 
                https://accounts.google.com
            1.3.6.1.4.1.57264.1.8: 

---

the diff's included here

diff --git a/pkg/providers/google/google.go b/pkg/providers/google/google.go
index b5484c6f..2b2cbec6 100644
--- a/pkg/providers/google/google.go
+++ b/pkg/providers/google/google.go
@@ -17,7 +17,9 @@ package google
 
 import (
 	"context"
+	"encoding/json"
 
+	"golang.org/x/oauth2/google"
 	"google.golang.org/api/idtoken"
 	"google.golang.org/api/impersonate"
 
@@ -30,6 +32,7 @@ import (
 func init() {
 	providers.Register("google-workload-identity", &googleWorkloadIdentity{})
 	providers.Register("google-impersonate", &googleImpersonate{})
+	providers.Register("google-service-account-json", &googleServiceAccountJSON{})
 }
 
 type googleWorkloadIdentity struct{}
@@ -59,6 +62,48 @@ func (gwi *googleWorkloadIdentity) Provide(ctx context.Context, audience string)
 	return tok.AccessToken, nil
 }
 
+type googleServiceAccountJSON struct{}
+
+var _ providers.Interface = (*googleServiceAccountJSON)(nil)
+
+func (gwi *googleServiceAccountJSON) Enabled(ctx context.Context) bool {
+	creds, err := google.FindDefaultCredentials(context.TODO(), "https://www.googleapis.com/auth/cloud-platform")
+	if err != nil {
+		return false
+	}
+	var f struct {
+		Type string `json:"type"`
+	}
+	if err := json.Unmarshal(creds.JSON, &f); err != nil {
+		return false
+	}
+
+	switch google.CredentialsType(f.Type) {
+	case google.ServiceAccount:
+		return true
+	case google.ImpersonatedServiceAccount:
+		return true
+	case google.ExternalAccount:
+		return true
+	default:
+		return false
+	}
+
+}
+
+// Provide implements providers.Interface
+func (gwi *googleServiceAccountJSON) Provide(ctx context.Context, audience string) (string, error) {
+	ts, err := idtoken.NewTokenSource(ctx, audience)
+	if err != nil {
+		return "", err
+	}
+	tok, err := ts.Token()
+	if err != nil {
+		return "", err
+	}
+	return tok.AccessToken, nil
+}
+
 type googleImpersonate struct{}
 
 var _ providers.Interface = (*googleImpersonate)(nil)