Support GOOGLE_OAUTH_ACCESS_TOKEN credential for GCP

[Manouchka94]

Description Hi everyone,

We use Oauth token credential to authentificate to GCP in order to impersonate service account. However, when I try to run a command scan it returns this error

Please use a Service Account to authenticate on GCP

Example of podman command podman run --interactive --tty --rm -v $(pwd):/app:ro -e GOOGLE_IMPERSONATE_SERVICE_ACCOUNT="my-sva@my-project.iam.gserviceaccount.com" -e GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token) snyk/driftctl scan --to="gcp+tf"

Is the GOOGLE_OAUTH_ACCESS_TOKEN method is supported ?

[eliecharra]

Hey @Manouchka94 👋🏻

IIRC it is currently a limitation of GCP to use service accounts to use the assets API 🤔 But it has been a long time so not 100% sure. The GCP assets API is currently used to enumerate resources on GCP using a single API call.

driftctl will require a lot of work to change that to call every GCP service to List resources. driftctl is currently not doing anything special about the authentication, we are using the default mechanism of the Go SDK.

The error you are seeing is triggered by the google SDK, but we do not display the original error message. You could try to build a custom version of driftctl by updating the code here to give you more details about the error, maybe it will help. Just log the error with logrus.Error(err) for example.

[Manouchka94]

Hi @eliecharra,

Thanks for your message 😄 I follow your advice and I build a custom version of driftctl. I add this line log.Error(err)

if err != nil {
    log.Error(err)
    return errors.New("Please use a Service Account to authenticate on GCP.\n" +
    "For more information: https://cloud.google.com/docs/authentication/production")
}

And it's add a log ERRO[0000] google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information. It's use the application-default-credentials to authentificate to GCP.

So I try to add my OAuth token with an environment var

export GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)

it's still fail.

And I try with the --header option :

driftctl scan --to="gcp+tf" --headers="Authorization=Bearer $(gcloud auth print-access-token)"

It's also failed with the previous message which ask me to use application-default-credentials.

[eliecharra]

The --header will not help here since it is only used to retrieve the terraform state.

Can you provide the process or the documentation you had followed to achieve your oauth2 setup so we could try to reproduce locally ? Unfortunately we do not have a lot of bandwidth to allocate to driftctl those days so I can't share any time estimation about when we could get deeper on that.

[Manouchka94]

To authentificate to GCP using OAuth token i just follow the Google Provide configuration for Terraform.

Specifically the part of access_token : https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#access_token

It's say that "You can alternatively use the GOOGLE_OAUTH_ACCESS_TOKEN environment variable"

To authentificate to GCP I execute theses commands :

# I authentificate to GCP using my personal account
gcloud auth login

# After login to GCP using a web browser, I can get an OAuth2 token using this command
gcloud auth print-access-token

# So I set the GOOGLE_OAUTH_ACCESS_TOKEN env var
export GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)

When I use this process of aithentification I can run my Terraform plan/apply. But not driftctl.