Post upgrade to Inspec controls version 1.0: Issue with google_service_account_keys()

[sukchomb-zz]

Hi @slevenick , @lhasadreams

Service accounts keys cannot be retrieved, attempting to use this resource results in a 404 error:

The singular resource may also be impacted but is not certain as I have used a workaround.

Describe the problem

Call generates

`

<title>Error 404 (Not Found)!!1</title>

The requested URL /v1/projects/tfci-ci1-tst-3369/serviceAccounts/projects/tfci-ci1-tst-3369/serviceAccounts/185726073911-compute@developer.gserviceaccount.com/keys? was not found on this server. That’s all we know.

`
The url is malformed.

Possible Solution

This is my workaround where I call the api

`

require 'json'

require 'googleauth'
require 'google/apis/iam_v1'

service = Google::Apis::IamV1::IamService.new
service.authorization = Google::Auth.get_application_default(['https://www.googleapis.com/auth/cloud-platform'])

google_service_accounts(project: gcp_project_id).service_account_names.sort.each do |sa_name|

# Interim fix post gcp version 1.0 upgrade
response = service.list_project_service_account_keys(sa_name).to_json

this_hash = JSON.parse(response)

## This generates a structure like this:
## {"keys":[
## {"keyAlgorithm":"KEY_ALG_RSA_2048","keyOrigin":"GOOGLE_PROVIDED","keyType":"SYSTEM_MANAGED","name":"projects/tfci-ci1-tst-3369/serviceAccounts/svc-is-my-name@tfci-ci1-tst-3369.iam.gserviceaccount.com/keys/26f163aabb489b6e1661d9a93087ef9a29805c22","validAfterTime":"2020-03-30T16:11:02Z","validBeforeTime":"2020-04-15T16:11:02Z"},
## {"keyAlgorithm":"KEY_ALG_RSA_2048","keyOrigin":"GOOGLE_PROVIDED","keyType":"SYSTEM_MANAGED","name":"projects/tfci-ci1-tst-3369/serviceAccounts/svc-is-my-name@tfci-ci1-tst-3369.iam.gserviceaccount.com/keys/73e530115af8ba5fc75058d49f4962d87049edc7","validAfterTime":"2020-04-07T16:12:47Z","validBeforeTime":"2020-04-23T16:12:47Z"},
## {"keyAlgorithm":"KEY_ALG_RSA_2048","keyOrigin":"GOOGLE_PROVIDED","keyType":"USER_MANAGED"  ,"name":"projects/tfci-ci1-tst-3369/serviceAccounts/svc-is-my-name@tfci-ci1-tst-3369.iam.gserviceaccount.com/keys/35046c901ea3ff9ba35154a93004fcb176f13967","validAfterTime":"2020-04-11T09:35:32Z","validBeforeTime":"9999-12-31T23:59:59Z"},
## {"keyAlgorithm":"KEY_ALG_RSA_2048","keyOrigin":"GOOGLE_PROVIDED","keyType":"USER_MANAGED"  ,"name":"projects/tfci-ci1-tst-3369/serviceAccounts/svc-is-my-name@tfci-ci1-tst-3369.iam.gserviceaccount.com/keys/ed2e5fc22624fd9bef5c15a0e3bd63fbf96e8b0b","validAfterTime":"2020-04-11T14:18:43Z","validBeforeTime":"9999-12-31T23:59:59Z"}]}

# require "pry"; binding.pry

this_hash.fetch("keys").each do |this_key|

  describe "Service account key '#{this_key.fetch("name")}', keyType" do 
    subject{this_key.fetch("keyType")}
    it{should eq "SYSTEM_MANAGED" }
  end 
end
# End of interim fix

`

[slevenick]

I'm guessing your control looks like this:

  google_service_account_keys(project: gcp_project_id, service_account: sa_name) do
  ...
end

Try instead of using the service_account_names, use emails or splitting the service account name on / and taking the last part. The issue is that the service account name has changed to be the fully qualified name: projects/{project}/serviceAccounts/{you-want-this}

[KonradSchieban]

I am running into a probably related issue with the function call google_service_account_keys(project: gcp_project_id, service_account: sa_email) which does not collect any keys. The call does not through an error but does not collect the keys.