registry-image-resource icon indicating copy to clipboard operation
registry-image-resource copied to clipboard

Published 20 hours ago verified publisher icon concourse

Enable GCP Authentication

Open reedk-au opened this issue 4 years ago • 3 comments

Fixes #280

Add a flag to source that will look for and use GCP application default credentials instead of using AWS credentials 0

reedk-au avatar Jul 09 '21 16:07 reedk-au

Implementing the same on in and out, moved into draft status until completed. Comments and recommendations welcome in the meantime.

reedk-au avatar Jul 13 '21 16:07 reedk-au

Hey, sorry for the late response.

I don't think this PR can be accepted in the current form, the reasoning is the same as the one in https://github.com/concourse/concourse/issues/3023 and Aidan's comment in https://github.com/concourse/registry-image-resource/pull/287#issuecomment-876483708.

The tldr is that Concourse differentiates resources based on their source, and automagic metadata servers breaks this assumption. With this PR, if I have 2 worker nodes with different credentials, it is now possible for a check step to return different versions depending on which worker it was run on (if each VM's creds can see different GCR repos).

As an alternative, I would be open to something like the current AWS flow, where the authenticated session is constructed from credentials passed in from the source: https://github.com/concourse/registry-image-resource/blob/4372334d66d137cf536ef5c1ce2cd6944b0c5506/types.go#L288-L291

Maybe you can do something similar by using google.CredentialsFromJSON and taking the TokenSource from there?

chenbh avatar Jul 19 '21 19:07 chenbh

No worries, thanks for the review @chenbh and this makes sense. Will see if we can get this to work and move this PR to a draft in the meantime.

reedk-au avatar Jul 21 '21 15:07 reedk-au

What is needed to get this active again?

michaelpporter avatar Oct 05 '24 15:10 michaelpporter