Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update guide for integrating GCP service account credentials #2068

Open
m-t-a97 opened this issue Jan 11, 2025 · 0 comments
Open

Update guide for integrating GCP service account credentials #2068

m-t-a97 opened this issue Jan 11, 2025 · 0 comments
Assignees
@m-t-a97
Labels
documentation Improvements or additions to documentation

Comments

@m-t-a97
Copy link
Contributor

m-t-a97 commented Jan 11, 2025

Description

The guide for integrating Google Cloud service account credentials has the following issues:

  • The command to generate the base64 encoded value doesn't generate the correct format due to the service account credentials containing whitespaces and new lines within the JSON file. So the output of the base64 value by default applies line wrapping by default which in turn causes issues when trying to use that value inside of a .env file with Docker etc.

  • Also there is a security concern with one of the approaches suggested in the docs which is to put the base64 encoded value of the service account credentials directly within the Kestra configuration. This poses a huge security issue as the Kestra config will usually be committed to a GitHub repo. This means that anyone who has "read" access to the repo can simply take the base64 encoded value and decode it to get the service account credentials and carry out nefarious actions with it.

An example has been provided below:

service-account.json (this is a fake credential):

{
  "type": "service_account",
  "project_id": "my-proj",
  "private_key_id": "dda93c63f2a049df876f2ae8c0f629111a599269",
  "private_key": "-----BEGIN PRIVATE KEY-----\nTG9yZW0gSXBzdW0gaXMgc2ltcGx5IGR1bW15IHRleHQgb2YgdGhlIHByaW50aW5nIGFuZCB0eXBl\nc2V0dGluZyBpbmR1c3RyeS4gTG9yZW0gSXBzdW0gaGFzIGJlZW4gdGhlIGluZHVzdHJ5J3Mgc3Rh\nbmRhcmQgZHVtbXkgdGV4dCBldmVyIHNpbmNlIHRoZSAxNTAwcywgd2hlbiBhbiB1bmtub3duIHBy\naW50ZXIgdG9vayBhIGdhbGxleSBvZiB0eXBlIGFuZCBzY3JhbWJsZWQgaXQgdG8gbWFrZSBhIHR5\ncGUgc3BlY2ltZW4gYm9vay4gSXQgaGFzIHN1cnZpdmVkIG5vdCBvbmx5IGZpdmUgY2VudHVyaWVz\nLCBidXQgYWxzbyB0aGUgbGVhcCBpbnRvIGVsZWN0cm9uaWMgdHlwZXNldHRpbmcsIHJlbWFpbmlu\nZyBlc3NlbnRpYWxseSB1bmNoYW5nZWQuIEl0IHdhcyBwb3B1bGFyaXNlZCBpbiB0aGUgMTk2MHMg\nd2l0aCB0aGUgcmVsZWFzZSBvZiBMZXRyYXNldCBzaGVldHMgY29udGFpbmluZyBMb3JlbSBJcHN1\nbSBwYXNzYWdlcywgYW5kIG1vcmUgcmVjZW50bHkgd2l0aCBkZXNrdG9wIHB1Ymxpc2hpbmcgc29m\ndHdhcmUgbGlrZSBBbGR1cyBQYWdlTWFrZXIgaW5jbHVkaW5nIHZlcnNpb25zIG9mIExvcmVtIElw\nc3VtLiBDb250cmFyeSB0byBwb3B1bGFyIGJlbGllZiwgTG9yZW0gSXBzdW0gaXMgbm90IHNpbXBs\neSByYW5kb20gdGV4dC4gSXQgaGFzIHJvb3RzIGluIGEgcGllY2Ugb2YgY2xhc3NpY2FsIExhdGlu\nIGxpdGVyYXR1cmUgZnJvbSA0NSBCQywgbWFraW5nIGl0IG92ZXIgMjAwMCB5ZWFycyBvbGQuIFJp\nY2hhcmQgTWNDbGludG9jaywgYSBMYXRpbiBwcm9mZXNzb3IgYXQgSGFtcGRlbi1TeWRuZXkgQ29s\nbGVnZSBpbiBWaXJnaW5pYSwgbG9va2VkIHVwIG9uZSBvZiB0aGUgbW9yZSBvYnNjdXJlIExhdGlu\nIHdvcmRzLCBjb25zZWN0ZXR1ciwgZnJvbSBhIExvcmVtIElwc3VtIHBhc3NhZ2UsIGFuZCBnb2lu\nZyB0aHJvdWdoIHRoZSBjaXRlcyBvZiB0aGUgd29yZCBpbiBjbGFzc2ljYWwgbGl0ZXJhdHVyZSwg\nZGlzY292ZXJlZCB0aGUgdW5kb3VidGFibGUgc291cmNlLiBMb3JlbSBJcHN1bSBjb21lcyBmcm9t\nIHNlY3Rpb25zIDEuMTAuMzIgYW5kIDEuMTAuMzMgb2YgZGUgRmluaWJ1cyBCb25vcnVtIGV0IE1h\nbG9ydW0gKFRoZSBFeHRyZW1lcyBvZiBHb29kIGFuZCBFdmlsKSBieSBDaWNlcm8sIHdyaXR0ZW4g\naW4gNDUgQkMuIFRoaXMgYm9vayBpcyBhIHRyZWF0aXNlIG9uIHRoZSB0aGVvcnkgb2YgZXRoaWNz\nLCB2ZXJ5IHBvcHVsYXIgZHVyaW5nIHRoZSBSZW5haXNzYW5jZS4gVGhlIGZpcnN0IGxpbmUgb2Yg\nTG9yZW0gSXBzdW0sIExvcmVtIGlwc3VtIGRvbG9yIHNpdCBhbWV0Li4sIGNvbWVzIGZyb20gYSBs\naW5lIGluIHNlY3Rpb24gMS4xMC4zMi4K\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "12345678901234567890",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk%40my-proj.iam.gserviceaccount.com",
  "universe_domain": "googleapis.com"
}

Following the current docs suggests using the following command to generate the base64 value:
cat service-account.json | base64

ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAibXktcHJvaiIs
CiAgInByaXZhdGVfa2V5X2lkIjogImRkYTkzYzYzZjJhMDQ5ZGY4NzZmMmFlOGMwZjYyOTExMWE1
OTkyNjkiLAogICJwcml2YXRlX2tleSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cblRH
OXlaVzBnU1hCemRXMGdhWE1nYzJsdGNHeDVJR1IxYlcxNUlIUmxlSFFnYjJZZ2RHaGxJSEJ5YVc1.....

The value above has line wrapping which adds new lines to the base64 value. So that means that the whole value will not be passed into the .env file correctly. You can see this problem when inspecting the environment variables on a standalone linux environment or within a docker container e.g. using Docker Desktop.

However, this can be remedied by using the following command instead:
cat service-account.json | base64 -w 0

This command will remove any line wrapping which will give you the correct base64 encoded string format. You can be rest assured that this doesn't have any implications as decoding it will give you back the original JSON payload for your service account credential.

So based on this observation, I suggest updating the docs to include the following modifications to the guide:

  • Remove the guide regarding storing the credentials directly in the Kestra config due to security concerns.
  • Update the bash command to use the command shown above in the solution and prefer the .env approach.
@m-t-a97 m-t-a97 added the documentation Improvements or additions to documentation label Jan 11, 2025
@kestrabot kestrabot bot added this to Issues Jan 11, 2025
@github-project-automation github-project-automation bot moved this to Backlog in Issues Jan 11, 2025
m-t-a97 added a commit to m-t-a97/docs that referenced this issue Jan 14, 2025
@m-t-a97
docs(kestra-io#2068): Update guide for integrating GCP service accoun…
c7b47a4 
…t credentials
wrussell1999 pushed a commit that referenced this issue Jan 14, 2025
@m-t-a97
docs(#2068): Update guide for integrating GCP service account credent… (
8e7787f 
#2076)
@spirillen spirillen mentioned this issue Jan 17, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@m-t-a97 m-t-a97

Labels
documentation Improvements or additions to documentation
Projects
Issues
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@m-t-a97