search

hashicorp / packer-plugin-googlecompute

Packer plugin for Google Compute Builder
https://www.packer.io/docs/builders/googlecompute
Mozilla Public License 2.0
24 stars 54 forks source link

Ensure OS Login API calls are using the correct Identities #72

Closed upodroid closed 2 years ago

upodroid commented 2 years ago

Fixes: #73

Can I get some help with the driver_mock.go?

This change fixes a bug where the OS Login email lookup doesn't work if service account impersonation is being used.

The tokeninfo function at the bottom of builder/googlecompute/step_import_os_login_ssh_key.go is initialised with incorrect ClientOption and won't work if you are impersonating.

Also, getGCEUser is broken with service account impersonation as it uses the metadata server of the instance/pod to get the email of the identity that is impersonating and not the impersonated identity.

I have reworked it to acquire the correct Access Token from NewClientOptionGoogle and then use it to make a call to get email from https://oauth2.googleapis.com/tokeninfo

@azr @SwampDragons

upodroid commented 2 years ago

Also, does Packer implement something like AtLeastOneOf from TF? ssh_username should be optional if use_os_login is set as the code already overrides ssh_username.

azr commented 2 years ago

Also, does Packer implement something like AtLeastOneOf from TF?

The internal communicator should be able to try on different types of auth methods, yes. Does that answer your question ?

upodroid commented 2 years ago

Also, does Packer implement something like AtLeastOneOf from TF?

The internal communicator should be able to try on different types of auth methods, yes. Does that answer your question ?

This error should be suppressed if use_os_login is set to true, given thst ssh_username is overriden later.

Error: 1 error(s) occurred:

* An ssh_username must be specified
  Note: some builders used to default ssh_username to "root".

  on image.pkr.hcl line 53:
  (source code not available)

==> Wait completed after 10 microseconds

==> Builds finished but no artifacts were created.
azr commented 2 years ago

Are you able to change that error from validation ?

upodroid commented 2 years ago

Are you able to change that error from validation ?

That parameter isn't adjustable in this package.

https://github.com/hashicorp/packer-plugin-sdk/blob/main/communicator/config.go

Anyway, i'll investigate that and open a PR for it separately. The PR works now.

upodroid commented 2 years ago

Thank you