The document discusses Google authentication using OAuth 2.0, detailing the importance of scopes and IAM for access control in Google Cloud Platform (GCP). It highlights examples of authentication flows, how service accounts and scopes work in various GCP services like Google Drive and App Engine, and discusses the limitations associated with default service accounts. Additionally, it provides insights into configuring custom service accounts and scopes for different GCP environments like GKE and Cloud Run.

1. Google Auth -
Dispelling the Magic

2. hello!
I am Zaar Hai
Staff Cloud Architect at DoiT International
linkedin.com/in/zaar
2

3. Google Auth is oAuth 2.0
3

4. oAuth 2.0 in a nutshell
✘ There are several authentication flows
✘ In all cases you end up with:
➢ An access token
➢ Scopes attached to the token
4

5. The Devil in the
Details Scopes
5
1.

6. Scopes in GCP / Google APIs
✘ Scopes provide a coarse access
➢ They are oAuth 2.0 authorization methods
✘ IAM controls are used for fine-grained access
✘ You need both scopes and IAM to succeed
6

7. GCP Example
$ gcloud auth login
Your browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent
.com&redirect_uri=http://localhost:8085/&scope=openid+https://www.googleapis.com/auth/userinfo.email+
https://www.googleapis.com/auth/cloud-platform+https://www.googleapis.com/auth/appengine.admin+http
s://www.googleapis.com/auth/compute+https://www.googleapis.com/auth/accounts.reauth&state=tvI6MgffayXIW3
pWNLH4WwRQ1cCXD2&access_type=offline&code_challenge=vTYdoAlYQ9Y1s9JGrxp_xztIdFHrDD13IHSVwBQMQqs&code_chal
lenge_method=S256
7

8. GCP Example
8
Scopes
We’ve authenticated gcloud to access GCP
on our behalf
All scopes: link
IAM
But we need IAM permissions on each
project we want to access
All permissions: link

9. A bit of history
Originally
GPC had only basic Viewer,
Editor, Owner IAM roles
So
They heavily relied on scopes
for access control.
However
This approach is quote limiting;
therefore IAM reigns and there
are no new fine-grained scopes
for GCP services.
Still, not all services have IAM
controls, so use dedicated GCP
projects with disabled APIs.
9

10. Google Drive Example
$ gcloud auth app-default login
$ python <<EOF
import google.auth
from googleapiclient.discovery import build
creds, project_id = google.auth.default()
service = build('drive', 'v3', credentials=creds)
results = service.files().list().execute()
EOF
Traceback… "Insufficient Permission: Request had insufficient
authentication scopes."
10

11. Google Drive Example
$ gcloud auth app-default login
--scopes='https://www.googleapis.com/auth/drive',
'https://www.googleapis.com/auth/cloud-platform'
$ python <<EOF
...
All good <- Provided you have Drive permissions as well!
11

12. Google Drive Example
$ gcloud auth app-default login
--scopes='https://www.googleapis.com/auth/drive',
'https://www.googleapis.com/auth/cloud-platform'
$ python <<EOF
...
All good
✘ Note that the following wouldn’t work:
creds, project_id = google.auth.default(scopes=[
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/drive',
])
12

13. I get the scopes
Now what?
13

14. Service accounts
✘ You code in VM / GKE / Cloud Run /etc. operates under service
account
✘ But what about scopes?
14

15. Oh My Defaults!
✘ Default GCE service account has EDITOR roles on your project
✘ Hence default scopes are restricted
✘ VM scopes can not be changed after creation
15

16. Oh My Defaults!
✘ Default GCE service account has EDITOR roles on your project
✘ Hence default scopes are restricted
✘ VM scopes can not be changed after creation
Again: No App on your VM can talk to Google Drive unless you configure
the VM in advance.
16

17. “
Custom ServiceAccount and
Scopes for a VM?
- gcloud CLI only
17

18. How about GKE?
18

19. Custom service account & scopes on GKE
✘ Configure Service Account & Scopes per node pool
✘ Still, CLI is your only real friend :/
19

20. Custom service account & scopes on GKE
✘ Configure Service Account & Scope per node pool
✘ Still, CLI is your only real friend :/
✘ Service Account per pod with GKE Workload Identity
➢ TBD: check scope situation here
20

21. Cloud Run / Functions?
21

22. Auth in Cloud Run / Functions
✘ Uses Compute / App Engine Default Service Account by default
➢ WATCH IT! - Editor role!
✘ Service account is configurable
gcloud run deploy --service-account=...
22

23. Auth in Cloud Run / Functions
✘ Uses Compute / App Engine Default Service Account by default
➢ WATCH IT! - Editor role!
✘ Service account is configurable
✘ No scope limitations! Just use:
creds, project_id = google.auth.default(scopes=[
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/drive',
])
23

24. App Engine
Least lucky of all
24

25. Auth in App Engine
✘ Uses App Engine Default Service Account
➢ WATCH IT! - Editor role!
✘ Service account is NOT configurable
✘ Scopes are NOT configurable - “cloud-platform” only
✘ No easy way around that without some serious creativity
25

26. References
26
✘ Google Auth - Dispelling the Magic
✘ The 2 limits of Google Cloud IAM service
✘ Service Account Impersonation in Terraform

27. thanks!
Any questions?
27