Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/salrashid123/gcp_process_credentials_node

Process Credentials for GCP Client Library - node
https://github.com/salrashid123/gcp_process_credentials_node

aws aws-authentication

Last synced: 29 days ago
JSON representation

Process Credentials for GCP Client Library - node

Host: GitHub
URL: https://github.com/salrashid123/gcp_process_credentials_node
Owner: salrashid123
License: apache-2.0
Created: 2023-08-21T11:10:50.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2023-08-21T11:14:27.000Z (over 1 year ago)
Last Synced: 2024-11-22T04:15:21.952Z (3 months ago)
Topics: aws, aws-authentication
Language: JavaScript
Homepage:
Size: 15.6 KB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        ## Process Credentials for GCP Client Library  - node

Google Cloud Credential provider which allows sourcing credentials from an external process.

Essentially, its a credential source which allows the delegation of acquiring GCP `access_tokens` to arbitrary binaries you have access to at runtime.

The arbitrary binary would use whatever means it has available (kerberos, ldap, saml-cli, etc) to get a GCP `access_token`.  

From there, the token is given surfaced as a refreshable credential source you can directly use with a GCP library.

This is similar to several systems that provide such delegation.

* Kubernetes kubectl [credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins)

* [AWS Process Credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html)

Needless to say, use this after very careful consideration:  this library will attempt to execute a binary on the system where its run (ofcource the process running using the library would need access to run the script anyway)

>> **NOTE** these samples are NOT supported by google; its just something done on a weekend...

---

### Implementations

As its a weekend project, caveat emptor.  The code is alpha quality and I didn't have time to push it to maven central, npm, etc. 

If you want it there, please review the code, provide suggestions and improvements here

* `golang`: [https://github.com/salrashid123/gcp_process_credentials_go](https://github.com/salrashid123/gcp_process_credentials_go)

* `python`: [https://github.com/salrashid123/gcp_process_credentials_py](https://github.com/salrashid123/gcp_process_credentials_py)

* `java`: [https://github.com/salrashid123/gcp_process_credentials_java](https://github.com/salrashid123/gcp_process_credentials_java)

* `node`: [https://github.com/salrashid123/gcp_process_credentials_node](https://github.com/salrashid123/gcp_process_credentials_node)

See the "examples" folder in each

---

### Binary Response Contract

Each library above will invoke a binary, pass it some args and env var.

The response back from the binary must

be valid JSON in the form

```json

{

  "access_token": "ya29....",

  "expires_in": 3600,

  "token_type": "Bearer"

}

```

* `access_token`: your access token

* `expires_in`: how many seconds this token is valid for

* `token_type`:  usually just a bearer token

### Quickstart

For a quick example in python, the following will read a token file and use that for credentials:

(see `examples/` folder)

```javascript

let targetClient = new GCPProcessCredentials({

  cmd: "/usr/bin/cat",

  args: ["/tmp/token.txt"],

  env : {'foo': 'bar'},

  parser: null

});

let targetClient = new GCPProcessCredentials({

    cmd: "gcloud",

    args: ["auth", "print-access-token"],

    parser:  null

  });

const {Storage} = require('@google-cloud/storage');

const storage = new Storage({

  projectId: 'core-eso',

  authClient: targetClient,

});

```

ofcourse the file  here `/tmp/token.txt` must be the json file format described above

### Parser Interface 

If your binary does not provide the exact json format, your can define a parser interface to 'translate' the credential for you.

For example,  `gcloud auth print-access-token` returns just the access token with an annoying newline character from stdout.

You an provide an interface to do the translation like this:

```javascript

class gcloudParser {

  constructor() {}

  parse(i) {

    return '{ "access_token": "' + i.toString().replace(/\n$/, '') +'", "expires_in": 3600, "token_type": "Bearer" }' 

  }

}

let targetClient = new GCPProcessCredentials({

    cmd: "gcloud",

    args: ["auth", "print-access-token"],

    parser:  new gcloudParser()

  });

const {Storage} = require('@google-cloud/storage');

const storage = new Storage({

  projectId: 'core-eso',

  authClient: targetClient,

});

```

### Injecting tokens vs Wrapped Credentials

You might be asking..._why cant' i just run the binary on my own in code, get the token an inject it as a credential like this?_?

Well, the, token is _not_ refreshable and your client library will need to manage that.  On the other hand, if you use this library, it will automatically refresh the token by calling the binary when its nearing expiration

---

Other References [AWS->GCP Process Credential Plugin](https://github.com/salrashid123/awscompat#process-credentials)