search

GoogleCloudPlatform / kms-integrations

https://cloud.google.com/kms
Apache License 2.0
39 stars 13 forks source link

Oauth token bad request - Okta & GCP #32

Closed eastokes closed 6 months ago

eastokes commented 6 months ago

I'm on MacOS ARM M1. I'm attempting to follow the instructions here https://cloud.google.com/kms/docs/reference/pkcs11-openssl

I built GoogleCloudPlatform/kms-integrations from the master branch with bazelisk test ...

I added bazel-bin/kmsp11/main/libkmsp11.so to my openssl engines directory I also installed libpkcs11.dylib and pkcs11.dylib from libp11-0.4.12

❯ openssl version OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

❯ ls -la openssl-3.0.11/lib/engines-3/ .r-xr-xr-x 18k root capi.dylib lrwxr-xr-x 54M root libkmsp11.so lrwxr-xr-x 136k root libpkcs11.dylib .r-xr-xr-x 82k root loader_attic.dylib .r-xr-xr-x 18k root padlock.dylib lrwxr-xr-x 136k root pkcs11.dylib

However, when attempting to execute various commands interfacing with the cloud key, I'm getting the following error Error occurred when fetching oauth2 token - oauth2_credentials.cc:176 error 400 invalid_grant Bad Request

openssl dgst -sha256 -engine pkcs11 -keyform engine -sign pkcs11:object=code-signing-secret-key-us-central1 bar.txt Engine "pkcs11" set. kmsp11 failure occurred prior to library initialization: returning 0x30 from C_Initialize due to status UNKNOWN: Error occurred when fetching oauth2 token. [type.googleapis.com/kmsp11.StatusDetails='CK_RV=0x30'] Unable to load module openssl-3.0.11/lib/engines-3/libkmsp11.so PKCS11_get_private_key returned NULL Could not read private key from org.openssl.engine:pkcs11:pkcs11:object=code-signing-secret-key-us-central1 C07AA0EB01000000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:79:

W20240426 09:58:19.708248 3953162944 oauth2_credentials.cc:176] Call to http server ended with error 400 [{
  "error": "invalid_grant",
  "error_description": "Bad Request"
}].

In the same terminal I have already authenticated with gcloud auth login which initiates our auth flow with Okta. I then set the appropriate project. I can verify that I have access to the referenced key.

gcloud kms keys versions get-public-key 1 --location us-central1 --keyring code-signing-ktbz --project prj-infra-automation-ktbz --key code-signing-secret-key-us-central1

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAimWy7S8I5himj2B5Us2T
...
-----END PUBLIC KEY-----
tdbhacks commented 6 months ago

Our PKCS#11 library uses application default credentials, so you need to use

gcloud auth application-default login

At first glance I think that flow might still be supported through Okta, but unfortunately I'm not familiar with how that integration would look like, or if the existing one you have set up for gcloud auth login just works right away with application default credentials as well.

eastokes commented 6 months ago 
gcloud auth application-default login

This worked, thanks so much!