search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.57k stars 428 forks source link

[Bug]: gcloud permission denied error #1933

Closed GBBx closed 1 month ago

GBBx commented 1 month ago

Steps to Reproduce

I set up step-ca with Google Cloud KMS according to https://smallstep.com/docs/step-ca/cryptographic-protection/#google-cloud-kms. step-ca runs as a systemd unit (I copied the unit file from https://smallstep.com/docs/step-ca/certificate-authority-server-production). This setup works perfectly on 0.26.1.

But if I update it to 0.27.0 or 0.27.1 it fails to start with the following error message:

open /home/step/.config/gcloud/certificate_config.json: permission denied

I understand the user (step in my case) should work even without a home directory. However, I did try to create the /home/step/.config/gcloud/ folder and the json file (just with a "{}" content) and I still get the same error.

I did search a bit on the internet but what I found does not look relevant (https://cloud.google.com/beyondcorp-enterprise/docs/enable-cba-enterprise-certificates).

Your Environment

Expected Behavior

The step-ca service should start.

Actual Behavior

The step-ca service fails to start.

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

GBBx commented 1 month ago

The issue persists on v0.27.2.

hslatman commented 1 month ago

@GBBx is it possible CBA is enabled on the machine where the CA is running? As far as I know we don't default to enabling that, and without having looked too much into the KMS configuration so far, it seems it's trying to use CBA to authenticate. Some information on enabling/disabling it is here: https://cloud.google.com/beyondcorp-enterprise/docs/enable-cba-client-apps. Is the GOOGLE_API_USE_CLIENT_CERTIFICATE=1 env var set, for example?

GBBx commented 1 month ago

@hslatman , thanks a lot for the hint!

I checked the current setting:

gcloud config get context_aware/use_client_certificate
False

step-ca runs as a systemd service, and GOOGLE_API_USE_CLIENT_CERTIFICATE=1 was not set in the unit file.

However, adding Environment=GOOGLE_API_USE_CLIENT_CERTIFICATE=0 to the unit file solved the issue.

hslatman commented 1 month ago

Hmm, interesting. I might give it a try sometime soon too, to see the behavior for myself. If the env var was not set before, it sounds like it might be interpreting that to default to enabling it.