search

hashicorp / packer-plugin-googlecompute

Packer plugin for Google Compute Builder
https://www.packer.io/docs/builders/googlecompute
Mozilla Public License 2.0
23 stars 53 forks source link

Broken Service Account impersonation #83

Closed fgateuil closed 2 years ago

fgateuil commented 2 years ago

Overview of the Issue

When using Google Cloud IAM impersonation mechanism I'm getting an error stating that my user doesn't have sufficient privileges. I successfully used this mechanism with Terraform hoping it would be the same with Packer.

Reproduction Steps

First of all, in order to use the impersonation mechanism, it is necessary to configure the appropriate service accounts as described here:

  1. Create the Service Account that owns the permissions to interact with the GCE instances:
    1. To make the tests easier, assign the role roles/editor to it;
    2. Service account identifier: service_account_builder@your_project_id.iam.gserviceaccount.com;
  2. Create the Service Account that will be used to impersonate the service account above:
    1. Assign no permission to it;
    2. Service account identifier: service_account_doorman@your_project_id.iam.gserviceaccount.com;
  3. Allow service_account_doorman@your_project_id.iam.gserviceaccount.com to impersonate service_account_builder@your_project_id.iam.gserviceaccount.com by granting him the roles below:
    1. Service Account Token Creator;
    2. Service Account User.
  4. Finally, generate a JSON key for the service account service_account_doorman@your_project_id.iam.gserviceaccount.com: impersonation_json_key.json.

Finally, use the JSON key to run the build.

Plugin and Packer version

$ packer --version
1.7.10

Simplified Packer Buildfile

packer {
  required_plugins {
    googlecompute = {
      version = ">= 1.0.10"
      source  = "github.com/hashicorp/googlecompute"
    }
  }
}

source "googlecompute" "vm_image" {
  project_id                  = "your_project_id"
  source_image_family         = "centos-7"
  zone                        = "europe-west1-b"
  machine_type                = "n1-standard-8"
  impersonate_service_account = "service_account_doorman@your_project_id.iam.gserviceaccount.com"
  image_description           = "VM image"
  instance_name               = "tpl-vm-image-{{uuid}}"
  disk_size                   = 50
  disk_type                   = "pd-ssd"
  metadata = {
    enable-oslogin : "true"
  }
  use_os_login      = true
  ssh_username      = "root"
  image_name        = "tpl-vm-image"
}

build {
  sources = ["sources.googlecompute.vm_image"]

  provisioner "shell" {
    inline = ["echo foo"]
  }
}

And finally, run the build:

GOOGLE_APPLICATION_CREDENTIALS="impersonation_json_key.json" packer build template.pkr.hcl

Operating system and Environment details

$ uname -a
Linux 3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 13:59:45 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/*-release
CentOS Linux release 8.4.2105
NAME="CentOS Linux"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"
CentOS Linux release 8.4.2105
CentOS Linux release 8.4.2105

Log Fragments and crash.log files

Full logs available here.

fgateuil commented 2 years ago

Note that Packer seems to use a deprecated Google API for the impersonation mechanism. A PR is to come from here.

ConorNevin commented 2 years ago

@fgateuil @azr I've just run into this issue - is there an ETA on getting this fix merged?

fgateuil commented 2 years ago

@fgateuil @azr I've just run into this issue - is there an ETA on getting this fix merged?

Hi @ConorNevin, I've been quite busy these days and the PR I created is just missing a little something to be complete. I'm gonna try to work on it right away in order to have something ready asap. Thanks for the reminder as well ;)