certificates
certificates copied to clipboard
smallstep
feat(gcp): enable organization validation
Hey all, I'm submitting a PR to enable validating that a project is a part of a GCP organization, rather than a static list of project IDs. As I mention in the commit message, I tried to strike the right balance between production-ready and proof-of-concept, so feel free to leave as much feedback as possible since I'm open to changing anything.
I'm going to share the first commit message below:
Before this commit, users could specify a hardcoded list of project IDs to restrict access to the GCP provisioner. While this works, it can be both toilsome to the team maintaining the Smallstep installation and unintuitive to the internal infrastructure users that may encounter errors as a result of their project not being added.
This commit is a rough attempt at adding support for validating that a GCP project belongs to a given GCP organization. It does this by using the projects.getAncestry call in the Cloud Resource Manager API. If a token's project claim does not have the given organization ID as its topmost ancestor, the token is rejected. This will require the resourcemanager.projects.get IAM permission on the organization.
The new OrganizationID configuration directive is compatible with the existing ProjectIDs configuration. If ProjectIDs is non-empty, it will take precedence over the OrganizationID and act as it did before, with the minor difference that if OrganizationID is also non-empty, the provisioner will check the project's ancestry before rejecting the token.
There are a couple outstanding questions and tasks after this commit. I tried to strike the right balance between production-ready and proof-of-concept here, so I'm open to any suggestions.
- Is the
authority/provisioner/gcppackage the right place for adding this functionality? Is the new struct the right approach? - We should add tests for validating the organization ID.
- How should users configure the authentication for the Cloud Resource Manager client? I expect this would be similar to the Cloud KMS integration.
- Does Smallstep Professional run in an environment that will be able to authenticate with Google? We would need to either grant permissions to a Smallstep-owned Google service account if it's run in GCP, or set up something like Google's Workload Identity Federation to handle a K8s, AWS, or Azure deployment.
