feat: GCS provisioner using ADC or existing service account for access tokens #111
Conversation
Codecov ReportAttention:
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## main #111 +/- ##
==========================================
- Coverage 63.52% 60.06% -3.46%
==========================================
Files 24 24
Lines 595 576 -19
Branches 30 30
==========================================
- Hits 378 346 -32
- Misses 205 217 +12
- Partials 12 13 +1 ☔ View full report in Codecov by Sentry. |
extensions/common/gcp/gcp-core/src/main/java/org/eclipse/edc/gcp/iam/IamServiceImpl.java
Outdated
Show resolved
Hide resolved
extensions/common/gcp/gcp-core/src/main/java/org/eclipse/edc/gcp/iam/IamServiceImpl.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I think the scope of this PR is pretty vague, will we need both getServiceAccount and getOrCreateServiceAccount?
I agree with @paullatzelsperger that ApplicationDefaultCredentials scope is also misleading... you say that you introduced for testing reasons, but in fact it is part of the public API of the IamServiceImpl.
my suggestion would be to rephrase this PR as it is seen from the perspective of the caller (the provisioner, according to the description), that will help defining clearer interfaces and setting up the correct testing boundaries
Agreed and I will create an interface for ApplicationDefaultCredentials, and then an inner class for implementing it. |
- IamServiceImpl.Builder now single-field - Added AccessTokenProvider interface for adding app default credential provider and related test
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
extensions/common/gcp/gcp-core/src/main/java/org/eclipse/edc/gcp/iam/IamServiceImpl.java
Fixed
Show fixed
Hide fixed
extensions/common/gcp/gcp-core/src/main/java/org/eclipse/edc/gcp/iam/IamServiceImpl.java
Outdated
Show resolved
Hide resolved
extensions/common/gcp/gcp-core/src/test/java/org/eclipse/edc/gcp/iam/IamServiceImplTest.java
Outdated
Show resolved
Hide resolved
extensions/common/gcp/gcp-core/src/test/java/org/eclipse/edc/gcp/iam/IamServiceImplTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
as I said I see no end-to-end endeavor, is not clear who will use these new methods and how, they are dead code currently.
please start from the provisioner point of view, and, if that will become too broad to be coded in a single PR, please provide an explanation on how this will result at the end.
SG I will update the PR and add the Provisioner perspective with an additional commit |
GCS provisioner uses either application default credentials or existing service account to generate the access token for the sink
man8pr
changed the title
- GCS provisioner finds service account name for access token from (first valid in sequence): - transfer request configuration - connector configuration from GcpConfiguration - application default credentials - refactor serviceAccount to serviceAccountName for GcsResourceDefinition
google-api-services-iam v2-rev20240108-2.0.0 license is apache 2.0 https://mvnrepository.com/artifact/com.google.apis/google-api-services-iam/v2-rev20240108-2.0.0
...sion/provision-gcs/src/main/java/org/eclipse/edc/connector/provision/gcp/GcsProvisioner.java
Outdated
Show resolved
Hide resolved
| @@ -89,28 +103,23 @@ public CompletableFuture<StatusResult<ProvisionResponse>> provision( | |||
| } | |||
| } | |||
|
|
|||
| private String getServiceAccountName(GcsResourceDefinition resourceDefinition) { | |||
| if (resourceDefinition.getServiceAccountName() != null) { | |||
| // TODO verify service account name from resource definition before returning. | |||
There was a problem hiding this comment.
is this TODO supposed to be solved in this PR or is there an issue related to it?
There was a problem hiding this comment.
This TODO requires more internal sync, there is currently no issue related but I would target this in another PR
| GcpAccessToken token = null; | ||
|
|
||
| var serviceAccountName = getServiceAccountName(resourceDefinition); | ||
| if (serviceAccountName != null && !serviceAccountName.isEmpty()) { |
There was a problem hiding this comment.
I think serviceAccountName can never be null (please look at GcpConfiguration).
unrelated: I think that's not a good approach to use empty string as default value, it would be better to leave null for not-configured settings, so a simple not-null check will already permit to say if that configuration exists or not.
There was a problem hiding this comment.
Updated GcpConfiguration, not returning null now
| var uniqueServiceAccountDescription = generateUniqueServiceAccountDescription(processId, buckedName); | ||
| return iamService.getOrCreateServiceAccount(serviceAccountName, uniqueServiceAccountDescription); | ||
| } | ||
|
|
||
| @NotNull | ||
| private String sanitizeServiceAccountName(String processId) { |
There was a problem hiding this comment.
unused (same for other 2 methods in this class)
…moved / inlined functions
What this PR changes/adds
IAM interface allows to use ADC or existing service account to generate access tokens, instead of creating and deleting new service accounts for this purpose.
GCS provisioner adapted to make use of the new functions provided by IAM.
Why it does that
The change avoids delays in the propagation of permissions to newly created service accounts.
Note
When using Application Default Credentials (i.e. when a service account is not specified), avoid user credentials and select the appropriate service account, http://cloud.google.com/docs/authentication/external/set-up-adc-on-cloud
Linked Issue(s)
Closes #110 #118