Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: service account impersonation with workforce credentials #770

Merged
merged 10 commits into from Oct 21, 2021
Merged

fix: service account impersonation with workforce credentials #770

merged 10 commits into from Oct 21, 2021

Conversation

lsirac
Copy link
Collaborator

@lsirac lsirac commented Oct 13, 2021
edited

While service account impersonation is not commonly used with workforce
pool configurations, there is a bug where the workforcePoolUserProject is not being set on the source credential.

This also lets us align with other languages who added the workforcePoolUserProject to the base class, instead of IdentityPoolCredentials (though it is the only one that currently supports it).

The bug itself is fixed by the refactor. By moving workforcePoolUserProject to be set in the base constructor, it is set before initializeImpersonatedCredentials() is called. A copy of the source credential is then made that has the workforcePoolUserProject set. Prior to this it was not set and the impersonation call resulted in a 403.

@lsirac lsirac requested a review from a team as a code owner October 13, 2021 22:38
@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Oct 13, 2021
TimurSadykov
TimurSadykov reviewed Oct 19, 2021
View reviewed changes
Copy link
Member

@TimurSadykov TimurSadykov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some general comments for now. Can you please highlight the bugfix itself? Otherwise refactoring hides it

oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java Outdated Show resolved Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java Show resolved Hide resolved
TimurSadykov
TimurSadykov requested changes Oct 19, 2021
View reviewed changes
Copy link
Member

@TimurSadykov TimurSadykov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, couple small comments

oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java Outdated Show resolved Hide resolved
oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java Show resolved Hide resolved
TimurSadykov
TimurSadykov approved these changes Oct 20, 2021
View reviewed changes
Copy link
Member

@TimurSadykov TimurSadykov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chanseokoh chanseokoh added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 21, 2021
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 21, 2021
@lsirac lsirac merged commit 6449ef0 into googleapis:main Oct 21, 2021
@lsirac lsirac deleted the sa_wf branch October 21, 2021 18:29
gcf-merge-on-green bot pushed a commit that referenced this pull request Nov 10, 2021
@release-please
chore: release 1.3.0 (#777)
714efeb 
🤖 I have created a release \*beep\* \*boop\*
---
## [1.3.0](https://www.github.com/googleapis/google-auth-library-java/compare/v1.2.2...v1.3.0) (2021-11-10)


### Features

* next release from main branch is 1.3.0 ([#780](https://www.github.com/googleapis/google-auth-library-java/issues/780)) ([1149581](https://www.github.com/googleapis/google-auth-library-java/commit/1149581e63267e3553c74ba2114d849c5b24f27b))


### Bug Fixes

* **java:** java 17 dependency arguments ([#1266](https://www.github.com/googleapis/google-auth-library-java/issues/1266)) ([#779](https://www.github.com/googleapis/google-auth-library-java/issues/779)) ([9160a53](https://www.github.com/googleapis/google-auth-library-java/commit/9160a53e6507c1c938795e181c65ad80db1bcf11))
* service account impersonation with workforce credentials ([#770](https://www.github.com/googleapis/google-auth-library-java/issues/770)) ([6449ef0](https://www.github.com/googleapis/google-auth-library-java/commit/6449ef0922053121a6732933ab9e246965fde3b7))
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
@release-please release-please bot mentioned this pull request Jan 4, 2022
Closed
@release-please release-please bot mentioned this pull request Aug 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TimurSadykov TimurSadykov TimurSadykov approved these changes

@Neenu1995 Neenu1995 Neenu1995 approved these changes

@chingor13 chingor13 Awaiting requested review from chingor13

Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@lsirac @TimurSadykov @Neenu1995 @chanseokoh @kokoro-team