Kreya icon indicating copy to clipboard operation
Kreya copied to clipboard

Published 20 hours ago verified publisher icon riok

Google User Account authentication type

Open vh opened this issue 3 years ago • 3 comments

At the moment there is support for Google Service Account, but that forces us to create service account for each developer.

Would be great to have support for Google User Account (type: "authorized_user" in terms of GCP, not only type: "services_account"). We may find the credentials in ~/.config/gcloud folder for that.

vh avatar Dec 04 '21 13:12 vh

Thank you for opening this issue. I couldn't find any documentation for Google User Accounts in terms of GCP (type: "authorized_user"). Do you have a documentation link available regarding this topic and how to obtain such access tokens?

To use google user accounts to call google apis you could also use the Kreya Authentication Type OAuth2 / OpenID-Connect with https://accounts.google.com as the issuer. Client credentials can be created here: https://console.cloud.google.com/apis/credentials.

latonz avatar Dec 05 '21 14:12 latonz

Ohh, you are right. It seems "authorized_user" it is just something gcloud sdk specific. You may find such credentials in ~/.config/gcloud/ credentials.db or legacy_credentials directory. It contains client_id, client_secret and refresh_token. But anyway it seems that is not exactly we need.

In many cases we use Cloud Run to host GRPC services. Cloud Run allows us to enable authentication based on OIDC. For development purposes we may simply use gcloud auth print-identity-token command to generate short-living token and then paste it to metadata (more details https://cloud.google.com/run/docs/authenticating/developers). I know that gcloud cli uses refresh_token to generate id_token under the hood. I thought that it is possible to repeat such approach within the tool. But at the moment I think this is not a right way, because it looks like a very specific solution around gcloud specific things with no info how to implement that.

Main issue in our case that it is necessary to run token generation command from command line and then paste token to metadata each time. At the moment in Kreya there are no possibilities to run external command and paste returned result, isn't it? The possible way (but I'm not sure that the best) to solve our issue could be just simply allowing external commands/scripts execution from templates.

vh avatar Dec 09 '21 20:12 vh

We added this to our internal road map and may implement this in the future. There are some security implications about executing local commands, especially with shared Kreya projects which we'll have to solve first if we want to implement this.

Just curious, did you get a chance to try using OAuth2 / OpenID-Connect with https://accounts.google.com as the issuer?

latonz avatar Dec 13 '21 16:12 latonz