Skip to content

Commit 3cdb482

Browse files
jace-ysjace-ys
committed
Address comments
1 parent 3b04f9d commit 3cdb482

File tree

1 file changed

+17
-11
lines changed

1 file changed

+17
-11
lines changed

cmd/rbac-manager/main.go

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,10 @@ import (
44
"context"
55
"fmt"
66
"os"
7-
"strings"
87

98
"cloud.google.com/go/compute/metadata"
109
"github.com/alecthomas/kingpin"
10+
"golang.org/x/oauth2"
1111
"golang.org/x/oauth2/google"
1212
directoryv1 "google.golang.org/api/admin/directory/v1"
1313
"google.golang.org/api/impersonate"
@@ -112,6 +112,8 @@ func createGoogleDirectory(ctx context.Context, subject string) (*directoryv1.Se
112112
return nil, err
113113
}
114114

115+
var ts oauth2.TokenSource
116+
115117
// If the found credential doesn't contain JSON, try to fallback to workload identity
116118
if len(creds.JSON) == 0 {
117119
// Get the email address associated with the service account. The account may be empty
@@ -128,21 +130,25 @@ func createGoogleDirectory(ctx context.Context, subject string) (*directoryv1.Se
128130
Subject: subject,
129131
}
130132

131-
ts, err := impersonate.CredentialsTokenSource(ctx, config, option.WithCredentials(creds))
133+
// Impersonation (as itself) is required as the federated access token obtained from the GCE
134+
// metadata server is not sufficient for acting as the subject via domain-wide delegation.
135+
// For delegation to work, we need to sign a JWT with the the "sub" claim set to subject -
136+
// this happens implicitly through impersonation.
137+
ts, err = impersonate.CredentialsTokenSource(ctx, config)
138+
if err != nil {
139+
return nil, err
140+
}
141+
} else {
142+
conf, err := google.JWTConfigFromJSON(creds.JSON, scopes...)
132143
if err != nil {
133144
return nil, err
134145
}
135146

136-
return directoryv1.NewService(ctx, option.WithTokenSource(ts))
137-
}
147+
// Access to the directory API must be signed with a Subject to enable domain selection.
148+
conf.Subject = subject
138149

139-
conf, err := google.JWTConfigFromJSON(creds.JSON, strings.Join(scopes, " "))
140-
if err != nil {
141-
return nil, err
150+
ts = conf.TokenSource(ctx)
142151
}
143152

144-
// Access to the directory API must be signed with a Subject to enable domain selection.
145-
conf.Subject = subject
146-
147-
return directoryv1.NewService(ctx, option.WithHTTPClient(conf.Client(ctx)))
153+
return directoryv1.NewService(ctx, option.WithTokenSource(ts))
148154
}

0 commit comments

Comments
 (0)