SlideShare a Scribd company logo

Google auth dispelling the magic

Zaar Hai
Zaar Hai

One of the great promises of Google Cloud is to make authentication simple. This promise indeed holds true the majority of the time, particularly if you don't go beyond the core Google Cloud services to a wider spectrum of Google APIs. In this talk, we'll explore the likely caveats and provide solutions on how to deal with them.

Technology
1 of 27
Download to read offline
Google Auth - Dispelling the Magic
hello! I am Zaar Hai Staff Cloud Architect at DoiT International linkedin.com/in/zaar 2
Google Auth is oAuth 2.0 3
oAuth 2.0 in a nutshell ✘ There are several authentication flows ✘ In all cases you end up with: ➢ An access token ➢ Scopes attached to the token 4
The Devil in the Details Scopes 5 1.
Scopes in GCP / Google APIs ✘ Scopes provide a coarse access ➢ They are oAuth 2.0 authorization methods ✘ IAM controls are used for fine-grained access ✘ You need both scopes and IAM to succeed 6
GCP Example $ gcloud auth login Your browser has been opened to visit: https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent .com&redirect_uri=http://localhost:8085/&scope=openid+https://www.googleapis.com/auth/userinfo.email+ https://www.googleapis.com/auth/cloud-platform+https://www.googleapis.com/auth/appengine.admin+http s://www.googleapis.com/auth/compute+https://www.googleapis.com/auth/accounts.reauth&state=tvI6MgffayXIW3 pWNLH4WwRQ1cCXD2&access_type=offline&code_challenge=vTYdoAlYQ9Y1s9JGrxp_xztIdFHrDD13IHSVwBQMQqs&code_chal lenge_method=S256 7
GCP Example 8 Scopes We’ve authenticated gcloud to access GCP on our behalf All scopes: link IAM But we need IAM permissions on each project we want to access All permissions: link
A bit of history Originally GPC had only basic Viewer, Editor, Owner IAM roles So They heavily relied on scopes for access control. However This approach is quote limiting; therefore IAM reigns and there are no new fine-grained scopes for GCP services. Still, not all services have IAM controls, so use dedicated GCP projects with disabled APIs. 9
Google Drive Example $ gcloud auth app-default login $ python <<EOF import google.auth from googleapiclient.discovery import build creds, project_id = google.auth.default() service = build('drive', 'v3', credentials=creds) results = service.files().list().execute() EOF Traceback… "Insufficient Permission: Request had insufficient authentication scopes." 10
Google Drive Example $ gcloud auth app-default login --scopes='https://www.googleapis.com/auth/drive', 'https://www.googleapis.com/auth/cloud-platform' $ python <<EOF ... All good <- Provided you have Drive permissions as well! 11
Google Drive Example $ gcloud auth app-default login --scopes='https://www.googleapis.com/auth/drive', 'https://www.googleapis.com/auth/cloud-platform' $ python <<EOF ... All good ✘ Note that the following wouldn’t work: creds, project_id = google.auth.default(scopes=[ 'https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/drive', ]) 12
I get the scopes Now what? 13
Service accounts ✘ You code in VM / GKE / Cloud Run /etc. operates under service account ✘ But what about scopes? 14
Oh My Defaults! ✘ Default GCE service account has EDITOR roles on your project ✘ Hence default scopes are restricted ✘ VM scopes can not be changed after creation 15
Oh My Defaults! ✘ Default GCE service account has EDITOR roles on your project ✘ Hence default scopes are restricted ✘ VM scopes can not be changed after creation Again: No App on your VM can talk to Google Drive unless you configure the VM in advance. 16
“ Custom ServiceAccount and Scopes for a VM? - gcloud CLI only 17
How about GKE? 18
Custom service account & scopes on GKE ✘ Configure Service Account & Scopes per node pool ✘ Still, CLI is your only real friend :/ 19
Custom service account & scopes on GKE ✘ Configure Service Account & Scope per node pool ✘ Still, CLI is your only real friend :/ ✘ Service Account per pod with GKE Workload Identity ➢ TBD: check scope situation here 20
Cloud Run / Functions? 21
Auth in Cloud Run / Functions ✘ Uses Compute / App Engine Default Service Account by default ➢ WATCH IT! - Editor role! ✘ Service account is configurable gcloud run deploy --service-account=... 22
Auth in Cloud Run / Functions ✘ Uses Compute / App Engine Default Service Account by default ➢ WATCH IT! - Editor role! ✘ Service account is configurable ✘ No scope limitations! Just use: creds, project_id = google.auth.default(scopes=[ 'https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/drive', ]) 23
App Engine Least lucky of all 24
Auth in App Engine ✘ Uses App Engine Default Service Account ➢ WATCH IT! - Editor role! ✘ Service account is NOT configurable ✘ Scopes are NOT configurable - “cloud-platform” only ✘ No easy way around that without some serious creativity 25
References 26 ✘ Google Auth - Dispelling the Magic ✘ The 2 limits of Google Cloud IAM service ✘ Service Account Impersonation in Terraform
thanks! Any questions? 27

Recommended

Google auth - dispelling the magic
Google auth - dispelling the magicGoogle auth - dispelling the magic
Google auth - dispelling the magicZaar Hai
 
Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]Sittiphol Phanvilai
 
Nodejsvs
NodejsvsNodejsvs
NodejsvsDhananjay Kumar
 
Chrome enchanted 2015
Chrome enchanted 2015Chrome enchanted 2015
Chrome enchanted 2015Chang W. Doh
 
Node js to sharepoint authentication
Node js to sharepoint authenticationNode js to sharepoint authentication
Node js to sharepoint authenticationSergei Sergeev
 
Firebase Auth Tutorial
Firebase Auth TutorialFirebase Auth Tutorial
Firebase Auth TutorialBukhori Aqid
 
PHP Development for Google Glass using Phass
PHP Development for Google Glass using PhassPHP Development for Google Glass using Phass
PHP Development for Google Glass using PhassJohn Coggeshall
 
AEM responsive
AEM responsiveAEM responsive
AEM responsiveDamien Antipa
 

Recommended

Google auth - dispelling the magic
Google auth - dispelling the magicGoogle auth - dispelling the magic
Google auth - dispelling the magicZaar Hai
 
Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]Sittiphol Phanvilai
 
Nodejsvs
NodejsvsNodejsvs
NodejsvsDhananjay Kumar
 
Chrome enchanted 2015
Chrome enchanted 2015Chrome enchanted 2015
Chrome enchanted 2015Chang W. Doh
 
Node js to sharepoint authentication
Node js to sharepoint authenticationNode js to sharepoint authentication
Node js to sharepoint authenticationSergei Sergeev
 
Firebase Auth Tutorial
Firebase Auth TutorialFirebase Auth Tutorial
Firebase Auth TutorialBukhori Aqid
 
PHP Development for Google Glass using Phass
PHP Development for Google Glass using PhassPHP Development for Google Glass using Phass
PHP Development for Google Glass using PhassJohn Coggeshall
 
AEM responsive
AEM responsiveAEM responsive
AEM responsiveDamien Antipa
 
Introduction to Vaadin, GWT.create 2015
Introduction to Vaadin, GWT.create 2015Introduction to Vaadin, GWT.create 2015
Introduction to Vaadin, GWT.create 2015hezamu
 
Codeigniter
CodeigniterCodeigniter
Codeigniterbaabtra.com - No. 1 supplier of quality freshers
 
Introduction to angular js july 6th 2014
Introduction to angular js july 6th 2014Introduction to angular js july 6th 2014
Introduction to angular js july 6th 2014Simona Clapan
 
Hyvä: Compatibility Modules
Hyvä: Compatibility ModulesHyvä: Compatibility Modules
Hyvä: Compatibility Modulesvinaikopp
 
Imagine recap-devhub
Imagine recap-devhubImagine recap-devhub
Imagine recap-devhubMagento Dev
 
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...Shem Magnezi
 
How to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hoursHow to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hoursJane Chung
 
Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...
Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...
Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...Edureka!
 
OAuth 2.0
OAuth 2.0 OAuth 2.0
OAuth 2.0 marcwan
 
AdWords API and OAuth 2.0
AdWords API and OAuth 2.0AdWords API and OAuth 2.0
AdWords API and OAuth 2.0marcwan
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPNetskope
 
Exploiting IAM in GCP
Exploiting IAM in GCPExploiting IAM in GCP
Exploiting IAM in GCPColin Estep
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
 
GCCP Session #1 - Getting Started with GCP.pptx
GCCP Session #1 - Getting Started with GCP.pptxGCCP Session #1 - Getting Started with GCP.pptx
GCCP Session #1 - Getting Started with GCP.pptxRamshaAshraf12
 
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingSimon Su
 
PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...
PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...
PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...Puppet
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIswesley chun
 
Accessing Google Cloud APIs
Accessing Google Cloud APIsAccessing Google Cloud APIs
Accessing Google Cloud APIswesley chun
 
GCCP.pptx
GCCP.pptxGCCP.pptx
GCCP.pptxAnanyaPRao
 
Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020 Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020 Royston Lobo
 
Build with ALL of Google Cloud
Build with ALL of Google CloudBuild with ALL of Google Cloud
Build with ALL of Google Cloudwesley chun
 
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CloudIDSummit
 

More Related Content

What's hot

Introduction to Vaadin, GWT.create 2015
Introduction to Vaadin, GWT.create 2015Introduction to Vaadin, GWT.create 2015
Introduction to Vaadin, GWT.create 2015hezamu
 
Introduction to angular js july 6th 2014
Introduction to angular js july 6th 2014Introduction to angular js july 6th 2014
Introduction to angular js july 6th 2014Simona Clapan
 
Hyvä: Compatibility Modules
Hyvä: Compatibility ModulesHyvä: Compatibility Modules
Hyvä: Compatibility Modulesvinaikopp
 
Imagine recap-devhub
Imagine recap-devhubImagine recap-devhub
Imagine recap-devhubMagento Dev
 
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...Shem Magnezi
 
How to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hoursHow to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hoursJane Chung
 
Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...
Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...
Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...Edureka!
 

What's hot (8)

Introduction to Vaadin, GWT.create 2015
Introduction to Vaadin, GWT.create 2015Introduction to Vaadin, GWT.create 2015
Introduction to Vaadin, GWT.create 2015
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
Introduction to angular js july 6th 2014
Introduction to angular js july 6th 2014Introduction to angular js july 6th 2014
Introduction to angular js july 6th 2014
 
Hyvä: Compatibility Modules
Hyvä: Compatibility ModulesHyvä: Compatibility Modules
Hyvä: Compatibility Modules
 
Imagine recap-devhub
Imagine recap-devhubImagine recap-devhub
Imagine recap-devhub
 
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
 
How to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hoursHow to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hours
 
Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...
Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...
Angular 2 Examples | Angular CRUD Application | Angular Tutorial | Angular Tr...
 

Similar to Google auth dispelling the magic

OAuth 2.0
OAuth 2.0 OAuth 2.0
OAuth 2.0 marcwan
 
AdWords API and OAuth 2.0
AdWords API and OAuth 2.0AdWords API and OAuth 2.0
AdWords API and OAuth 2.0marcwan
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPNetskope
 
Exploiting IAM in GCP
Exploiting IAM in GCPExploiting IAM in GCP
Exploiting IAM in GCPColin Estep
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
 
GCCP Session #1 - Getting Started with GCP.pptx
GCCP Session #1 - Getting Started with GCP.pptxGCCP Session #1 - Getting Started with GCP.pptx
GCCP Session #1 - Getting Started with GCP.pptxRamshaAshraf12
 
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingSimon Su
 
PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...
PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...
PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...Puppet
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIswesley chun
 
Accessing Google Cloud APIs
Accessing Google Cloud APIsAccessing Google Cloud APIs
Accessing Google Cloud APIswesley chun
 
Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020 Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020 Royston Lobo
 
Build with ALL of Google Cloud
Build with ALL of Google CloudBuild with ALL of Google Cloud
Build with ALL of Google Cloudwesley chun
 
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CloudIDSummit
 
30 days of cloud - 1
30 days of cloud - 130 days of cloud - 1
30 days of cloud - 1HitanshDoshi
 
Google compute engine - overview
Google compute engine - overviewGoogle compute engine - overview
Google compute engine - overviewCharles Fan
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 

Similar to Google auth dispelling the magic (20)

OAuth 2.0
OAuth 2.0 OAuth 2.0
OAuth 2.0
 
AdWords API and OAuth 2.0
AdWords API and OAuth 2.0AdWords API and OAuth 2.0
AdWords API and OAuth 2.0
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCP
 
Exploiting IAM in GCP
Exploiting IAM in GCPExploiting IAM in GCP
Exploiting IAM in GCP
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
 
GCCP Session #1 - Getting Started with GCP.pptx
GCCP Session #1 - Getting Started with GCP.pptxGCCP Session #1 - Getting Started with GCP.pptx
GCCP Session #1 - Getting Started with GCP.pptx
 
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
 
PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...
PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...
PuppetConf 2017: Puppet & Google Cloud: From Nothing to Production in 10 minu...
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
 
Accessing Google Cloud APIs
Accessing Google Cloud APIsAccessing Google Cloud APIs
Accessing Google Cloud APIs
 
GCCP.pptx
GCCP.pptxGCCP.pptx
GCCP.pptx
 
Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020 Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020
 
Build with ALL of Google Cloud
Build with ALL of Google CloudBuild with ALL of Google Cloud
Build with ALL of Google Cloud
 
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
 
30 days of cloud - 1
30 days of cloud - 130 days of cloud - 1
30 days of cloud - 1
 
Google compute engine - overview
Google compute engine - overviewGoogle compute engine - overview
Google compute engine - overview
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Session #1 GCCP
Session #1 GCCPSession #1 GCCP
Session #1 GCCP
 
Cloud Study Jams GDSC CUI ATK.pptx
Cloud Study Jams GDSC CUI ATK.pptxCloud Study Jams GDSC CUI ATK.pptx
Cloud Study Jams GDSC CUI ATK.pptx
 
Copy of Week #1
Copy of Week #1Copy of Week #1
Copy of Week #1
 

More from Zaar Hai

When Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud RunWhen Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud RunZaar Hai
 
Deep into Prometheus
Deep into PrometheusDeep into Prometheus
Deep into PrometheusZaar Hai
 
Dip into prometheus
Dip into prometheusDip into prometheus
Dip into prometheusZaar Hai
 
Apache ignite - a do-it-all key-value db?
Apache ignite - a do-it-all key-value db?Apache ignite - a do-it-all key-value db?
Apache ignite - a do-it-all key-value db?Zaar Hai
 
Advanced Python, Part 2
Advanced Python, Part 2Advanced Python, Part 2
Advanced Python, Part 2Zaar Hai
 
Advanced Python, Part 1
Advanced Python, Part 1Advanced Python, Part 1
Advanced Python, Part 1Zaar Hai
 

More from Zaar Hai (6)

When Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud RunWhen Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
 
Deep into Prometheus
Deep into PrometheusDeep into Prometheus
Deep into Prometheus
 
Dip into prometheus
Dip into prometheusDip into prometheus
Dip into prometheus
 
Apache ignite - a do-it-all key-value db?
Apache ignite - a do-it-all key-value db?Apache ignite - a do-it-all key-value db?
Apache ignite - a do-it-all key-value db?
 
Advanced Python, Part 2
Advanced Python, Part 2Advanced Python, Part 2
Advanced Python, Part 2
 
Advanced Python, Part 1
Advanced Python, Part 1Advanced Python, Part 1
Advanced Python, Part 1
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Google auth dispelling the magic

  • 2. hello! I am Zaar Hai Staff Cloud Architect at DoiT International linkedin.com/in/zaar 2
  • 3. Google Auth is oAuth 2.0 3
  • 4. oAuth 2.0 in a nutshell ✘ There are several authentication flows ✘ In all cases you end up with: ➢ An access token ➢ Scopes attached to the token 4
  • 5. The Devil in the Details Scopes 5 1.
  • 6. Scopes in GCP / Google APIs ✘ Scopes provide a coarse access ➢ They are oAuth 2.0 authorization methods ✘ IAM controls are used for fine-grained access ✘ You need both scopes and IAM to succeed 6
  • 7. GCP Example $ gcloud auth login Your browser has been opened to visit: https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent .com&redirect_uri=http://localhost:8085/&scope=openid+https://www.googleapis.com/auth/userinfo.email+ https://www.googleapis.com/auth/cloud-platform+https://www.googleapis.com/auth/appengine.admin+http s://www.googleapis.com/auth/compute+https://www.googleapis.com/auth/accounts.reauth&state=tvI6MgffayXIW3 pWNLH4WwRQ1cCXD2&access_type=offline&code_challenge=vTYdoAlYQ9Y1s9JGrxp_xztIdFHrDD13IHSVwBQMQqs&code_chal lenge_method=S256 7
  • 8. GCP Example 8 Scopes We’ve authenticated gcloud to access GCP on our behalf All scopes: link IAM But we need IAM permissions on each project we want to access All permissions: link
  • 9. A bit of history Originally GPC had only basic Viewer, Editor, Owner IAM roles So They heavily relied on scopes for access control. However This approach is quote limiting; therefore IAM reigns and there are no new fine-grained scopes for GCP services. Still, not all services have IAM controls, so use dedicated GCP projects with disabled APIs. 9
  • 10. Google Drive Example $ gcloud auth app-default login $ python <<EOF import google.auth from googleapiclient.discovery import build creds, project_id = google.auth.default() service = build('drive', 'v3', credentials=creds) results = service.files().list().execute() EOF Traceback… "Insufficient Permission: Request had insufficient authentication scopes." 10
  • 11. Google Drive Example $ gcloud auth app-default login --scopes='https://www.googleapis.com/auth/drive', 'https://www.googleapis.com/auth/cloud-platform' $ python <<EOF ... All good <- Provided you have Drive permissions as well! 11
  • 12. Google Drive Example $ gcloud auth app-default login --scopes='https://www.googleapis.com/auth/drive', 'https://www.googleapis.com/auth/cloud-platform' $ python <<EOF ... All good ✘ Note that the following wouldn’t work: creds, project_id = google.auth.default(scopes=[ 'https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/drive', ]) 12
  • 13. I get the scopes Now what? 13
  • 14. Service accounts ✘ You code in VM / GKE / Cloud Run /etc. operates under service account ✘ But what about scopes? 14
  • 15. Oh My Defaults! ✘ Default GCE service account has EDITOR roles on your project ✘ Hence default scopes are restricted ✘ VM scopes can not be changed after creation 15
  • 16. Oh My Defaults! ✘ Default GCE service account has EDITOR roles on your project ✘ Hence default scopes are restricted ✘ VM scopes can not be changed after creation Again: No App on your VM can talk to Google Drive unless you configure the VM in advance. 16
  • 17. “ Custom ServiceAccount and Scopes for a VM? - gcloud CLI only 17
  • 19. Custom service account & scopes on GKE ✘ Configure Service Account & Scopes per node pool ✘ Still, CLI is your only real friend :/ 19
  • 20. Custom service account & scopes on GKE ✘ Configure Service Account & Scope per node pool ✘ Still, CLI is your only real friend :/ ✘ Service Account per pod with GKE Workload Identity ➢ TBD: check scope situation here 20
  • 21. Cloud Run / Functions? 21
  • 22. Auth in Cloud Run / Functions ✘ Uses Compute / App Engine Default Service Account by default ➢ WATCH IT! - Editor role! ✘ Service account is configurable gcloud run deploy --service-account=... 22
  • 23. Auth in Cloud Run / Functions ✘ Uses Compute / App Engine Default Service Account by default ➢ WATCH IT! - Editor role! ✘ Service account is configurable ✘ No scope limitations! Just use: creds, project_id = google.auth.default(scopes=[ 'https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/drive', ]) 23
  • 25. Auth in App Engine ✘ Uses App Engine Default Service Account ➢ WATCH IT! - Editor role! ✘ Service account is NOT configurable ✘ Scopes are NOT configurable - “cloud-platform” only ✘ No easy way around that without some serious creativity 25
  • 26. References 26 ✘ Google Auth - Dispelling the Magic ✘ The 2 limits of Google Cloud IAM service ✘ Service Account Impersonation in Terraform