Implement GcpServiceAccountIdentityCredentials #11607
Conversation
| private CallCredentials getCallCredentials() throws Exception { | ||
| ComputeEngineCredentials credentials = ComputeEngineCredentials.create(); | ||
| IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder() | ||
| .setIdTokenProvider(credentials) |
There was a problem hiding this comment.
nit: Just inline ComputeEngineCredentials.create() instead of using a local variable.
There was a problem hiding this comment.
Okay, I'll do that in the follow up commit.
| ComputeEngineCredentials credentials = ComputeEngineCredentials.create(); | ||
| IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder() | ||
| .setIdTokenProvider(credentials) | ||
| .setTargetAudience(audience) |
There was a problem hiding this comment.
Write unit test to extract and assert the audience using tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudienceAsList() as given in the usage examples in https://cloud.google.com/java/docs/reference/google-auth-library/latest/com.google.auth.oauth2.IdTokenCredentials.
There was a problem hiding this comment.
Sure, just wanted to confirm this implementation before spending time on unit tests.
| * <p>This class is intended for use on GCE instances. It will not work | ||
| * in other environments. | ||
| */ | ||
| public class GcpServiceAccountIdentityCredentials extends CallCredentials { |
There was a problem hiding this comment.
Don't make any new public APIs. You want to add code to xds and just use it in your filter.
GcpServiceAccountIdentityCallCredentials from the gRFC already exists in Java. That's what your getCallCredentials() function creates. You absolutely wouldn't want to create that every RPC.
We will use custom CallCredentials in Java in order to read the authority and then select the correct CallCredentials, but that's going to look different from this.
There was a problem hiding this comment.
GcpServiceAccountIdentityCallCredentials from the gRFC already exists in Java.
I cannot find it. Where is it?
There was a problem hiding this comment.
GcpServiceAccountIdentityCallCredentials from the gRFC already exists in Java.
I cannot find it. Where is it?
The next sentence answered that:
That's what your getCallCredentials() function creates.
C doesn't have an auth library to use, unlike Java and Go. So in C they will need to make a new class. In Java, the functionality is already available.
There was a problem hiding this comment.
I took another look at the gRFC and it looks like we don't actually need custom CallCredentials. (I was probably thinking of an alternative design that had been discussed; it wouldn't depend on A74.) The filter will have the data available already; once A74 is done, the cluster config will be in CallOptions, like XdsNameResolver.CLUSTER_SELECTION_KEY is today.
| @Override | ||
| public void applyRequestMetadata(RequestInfo requestInfo, | ||
| Executor appExecutor, MetadataApplier applier) { | ||
| appExecutor.execute(() -> { |
There was a problem hiding this comment.
The executor here is for blocking operations (like I/O). We shouldn't need to use it directly. Call getCallCredentials() directly in applyRequestMetadata()
| getCallCredentials(callCredentialsCache, audience, credentials); | ||
| callOptions = callOptions.withCallCredentials(callCredentials); | ||
| } catch (Exception e) { | ||
| throw new RuntimeException("Failed to attach CallCredentials.", e); |
There was a problem hiding this comment.
Interceptors should not purposefully throw. Instead, you can return a FailingClientCall or add a CallCredentials that fails the RPC. But I actually don't see how any of this will fail, so don't know exactly what is being handled.
| true) { | ||
| @Override | ||
| protected boolean removeEldestEntry(Map.Entry<K, V> eldest) { | ||
| return size() > maxSize; |
There was a problem hiding this comment.
FYI, this is fine for now, but later you're going to need to change the maxSize after construction.
Note: The Google Auth Library have built-in mechanisms to handle clock skew in ComputeEngineCredentials.java.
GoogleCredentialsmanages token refreshing, validity and parsing of the JWT token internally.