One of the great promises of Google Cloud is to make authentication simple. This promise indeed holds true the majority of the time, particularly if you don't go beyond the core Google Cloud services to a wider spectrum of Google APIs. In this talk, we'll explore the likely caveats and provide solutions on how to deal with them.
6. Scopes in GCP / Google APIs
✘ Scopes provide a coarse access
➢ They are oAuth 2.0 authorization methods
✘ IAM controls are used for fine-grained access
✘ You need both scopes and IAM to succeed
6
7. GCP Example
$ gcloud auth login
Your browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent
.com&redirect_uri=http://localhost:8085/&scope=openid+https://www.googleapis.com/auth/userinfo.email+
https://www.googleapis.com/auth/cloud-platform+https://www.googleapis.com/auth/appengine.admin+http
s://www.googleapis.com/auth/compute+https://www.googleapis.com/auth/accounts.reauth&state=tvI6MgffayXIW3
pWNLH4WwRQ1cCXD2&access_type=offline&code_challenge=vTYdoAlYQ9Y1s9JGrxp_xztIdFHrDD13IHSVwBQMQqs&code_chal
lenge_method=S256
7
8. GCP Example
8
Scopes
We’ve authenticated gcloud to access GCP
on our behalf
All scopes: link
IAM
But we need IAM permissions on each
project we want to access
All permissions: link
9. A bit of history
Originally
GPC had only basic Viewer,
Editor, Owner IAM roles
So
They heavily relied on scopes
for access control.
However
This approach is quote limiting;
therefore IAM reigns and there
are no new fine-grained scopes
for GCP services.
Still, not all services have IAM
controls, so use dedicated GCP
projects with disabled APIs.
9
10. Google Drive Example
$ gcloud auth app-default login
$ python <<EOF
import google.auth
from googleapiclient.discovery import build
creds, project_id = google.auth.default()
service = build('drive', 'v3', credentials=creds)
results = service.files().list().execute()
EOF
Traceback… "Insufficient Permission: Request had insufficient
authentication scopes."
10
11. Google Drive Example
$ gcloud auth app-default login
--scopes='https://www.googleapis.com/auth/drive',
'https://www.googleapis.com/auth/cloud-platform'
$ python <<EOF
...
All good <- Provided you have Drive permissions as well!
11
12. Google Drive Example
$ gcloud auth app-default login
--scopes='https://www.googleapis.com/auth/drive',
'https://www.googleapis.com/auth/cloud-platform'
$ python <<EOF
...
All good
✘ Note that the following wouldn’t work:
creds, project_id = google.auth.default(scopes=[
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/drive',
])
12
14. Service accounts
✘ You code in VM / GKE / Cloud Run /etc. operates under service
account
✘ But what about scopes?
14
15. Oh My Defaults!
✘ Default GCE service account has EDITOR roles on your project
✘ Hence default scopes are restricted
✘ VM scopes can not be changed after creation
15
16. Oh My Defaults!
✘ Default GCE service account has EDITOR roles on your project
✘ Hence default scopes are restricted
✘ VM scopes can not be changed after creation
Again: No App on your VM can talk to Google Drive unless you configure
the VM in advance.
16
19. Custom service account & scopes on GKE
✘ Configure Service Account & Scopes per node pool
✘ Still, CLI is your only real friend :/
19
20. Custom service account & scopes on GKE
✘ Configure Service Account & Scope per node pool
✘ Still, CLI is your only real friend :/
✘ Service Account per pod with GKE Workload Identity
➢ TBD: check scope situation here
20
22. Auth in Cloud Run / Functions
✘ Uses Compute / App Engine Default Service Account by default
➢ WATCH IT! - Editor role!
✘ Service account is configurable
gcloud run deploy --service-account=...
22
23. Auth in Cloud Run / Functions
✘ Uses Compute / App Engine Default Service Account by default
➢ WATCH IT! - Editor role!
✘ Service account is configurable
✘ No scope limitations! Just use:
creds, project_id = google.auth.default(scopes=[
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/drive',
])
23
25. Auth in App Engine
✘ Uses App Engine Default Service Account
➢ WATCH IT! - Editor role!
✘ Service account is NOT configurable
✘ Scopes are NOT configurable - “cloud-platform” only
✘ No easy way around that without some serious creativity
25
26. References
26
✘ Google Auth - Dispelling the Magic
✘ The 2 limits of Google Cloud IAM service
✘ Service Account Impersonation in Terraform