GCP Secret Manager and Storage Bucket Binding implicit authentication support with Workload Identity (#3711)

Signed-off-by: Anton Troshin <anton@diagrid.io>

Author: antontroshin

bindings/gcp/bucket/bucket.go

@@ -104,13 +104,7 @@ func (g *GCPStorage) Init(ctx context.Context, metadata bindings.Metadata) error
 		return err
 	}
 
-	b, err := json.Marshal(m)
-	if err != nil {
-		return err
-	}
-
-	clientOptions := option.WithCredentialsJSON(b)
-	client, err := storage.NewClient(ctx, clientOptions)
+	client, err := g.getClient(ctx, m)
 	if err != nil {
 		return err
 	}
@@ -121,6 +115,41 @@ func (g *GCPStorage) Init(ctx context.Context, metadata bindings.Metadata) error
 	return nil
 }
 
+func (g *GCPStorage) getClient(ctx context.Context, m *gcpMetadata) (*storage.Client, error) {
+	var client *storage.Client
+	var err error
+
+	if m.Bucket == "" {
+		return nil, errors.New("missing property `bucket` in metadata")
+	}
+	if m.ProjectID == "" {
+		return nil, errors.New("missing property `project_id` in metadata")
+	}
+
+	// Explicit authentication
+	if m.PrivateKeyID != "" {
+		var b []byte
+		b, err = json.Marshal(m)
+		if err != nil {
+			return nil, err
+		}
+
+		clientOptions := option.WithCredentialsJSON(b)
+		client, err = storage.NewClient(ctx, clientOptions)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// Implicit authentication, using GCP Application Default Credentials (ADC)
+		// Credentials search order: https://cloud.google.com/docs/authentication/application-default-credentials#order
+		client, err = storage.NewClient(ctx)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return client, nil
+}
+
 func (g *GCPStorage) parseMetadata(meta bindings.Metadata) (*gcpMetadata, error) {
 	m := gcpMetadata{}
 	err := kitmd.DecodeMetadata(meta.Properties, &m)

bindings/gcp/bucket/bucket_test.go

@@ -16,6 +16,7 @@ package bucket
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -235,6 +236,30 @@ func TestMergeWithRequestMetadata(t *testing.T) {
 	})
 }
 
+func TestInit(t *testing.T) {
+	t.Run("Init missing bucket from metadata", func(t *testing.T) {
+		m := bindings.Metadata{}
+		m.Properties = map[string]string{
+			"projectID": "my_project_id",
+		}
+		gs := GCPStorage{logger: logger.NewLogger("test")}
+		err := gs.Init(context.Background(), m)
+		require.Error(t, err)
+		assert.Equal(t, err, errors.New("missing property `bucket` in metadata"))
+	})
+
+	t.Run("Init missing projectID from metadata", func(t *testing.T) {
+		m := bindings.Metadata{}
+		m.Properties = map[string]string{
+			"bucket": "my_bucket",
+		}
+		gs := GCPStorage{logger: logger.NewLogger("test")}
+		err := gs.Init(context.Background(), m)
+		require.Error(t, err)
+		assert.Equal(t, err, errors.New("missing property `project_id` in metadata"))
+	})
+}
+
 func TestGetOption(t *testing.T) {
 	gs := GCPStorage{logger: logger.NewLogger("test")}
 	gs.metadata = &gcpMetadata{}

secretstores/gcp/secretmanager/secretmanager.go

@@ -88,12 +88,38 @@ func (s *Store) Init(ctx context.Context, metadataRaw secretstores.Metadata) err
 }
 
 func (s *Store) getClient(ctx context.Context, metadata *GcpSecretManagerMetadata) (*secretmanager.Client, error) {
-	b, _ := json.Marshal(metadata)
-	clientOptions := option.WithCredentialsJSON(b)
+	var client *secretmanager.Client
+	var err error
 
-	client, err := secretmanager.NewClient(ctx, clientOptions)
-	if err != nil {
-		return nil, err
+	if metadata.ProjectID == "" {
+		return nil, errors.New("missing property `project_id` in metadata")
+	}
+
+	// Explicit authentication
+	if metadata.PrivateKeyID != "" {
+		if metadata.Type == "" {
+			return nil, errors.New("missing property `type` in metadata")
+		}
+		if metadata.PrivateKey == "" {
+			return nil, errors.New("missing property `private_key` in metadata")
+		}
+		if metadata.ClientEmail == "" {
+			return nil, errors.New("missing property `client_email` in metadata")
+		}
+
+		b, _ := json.Marshal(metadata)
+		clientOptions := option.WithCredentialsJSON(b)
+		client, err = secretmanager.NewClient(ctx, clientOptions)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// Implicit authentication, using GCP Application Default Credentials (ADC)
+		// Credentials search order: https://cloud.google.com/docs/authentication/application-default-credentials#order
+		client, err = secretmanager.NewClient(ctx)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	return client, nil
@@ -183,18 +209,9 @@ func (s *Store) parseSecretManagerMetadata(metadataRaw secretstores.Metadata) (*
 		return nil, fmt.Errorf("failed to decode metadata: %w", err)
 	}
 
-	if meta.Type == "" {
-		return nil, errors.New("missing property `type` in metadata")
-	}
 	if meta.ProjectID == "" {
 		return nil, errors.New("missing property `project_id` in metadata")
 	}
-	if meta.PrivateKey == "" {
-		return nil, errors.New("missing property `private_key` in metadata")
-	}
-	if meta.ClientEmail == "" {
-		return nil, errors.New("missing property `client_email` in metadata")
-	}
 
 	return &meta, nil
 }

secretstores/gcp/secretmanager/secretmanager_test.go

@@ -76,11 +76,47 @@ func TestInit(t *testing.T) {
 
 	t.Run("Init with missing `type` metadata", func(t *testing.T) {
 		m.Properties = map[string]string{
-			"dummy": "a",
+			"dummy":          "a",
+			"private_key_id": "a",
+			"project_id":     "a",
 		}
 		err := sm.Init(ctx, m)
 		require.Error(t, err)
-		assert.Equal(t, err, errors.New("missing property `type` in metadata"))
+		assert.Equal(t, errors.New("failed to setup secretmanager client: missing property `type` in metadata"), err)
+	})
+
+	t.Run("Init with missing `private_key` metadata", func(t *testing.T) {
+		m.Properties = map[string]string{
+			"dummy":          "a",
+			"private_key_id": "a",
+			"type":           "a",
+			"project_id":     "a",
+		}
+		err := sm.Init(ctx, m)
+		require.Error(t, err)
+		assert.Equal(t, errors.New("failed to setup secretmanager client: missing property `private_key` in metadata"), err)
+	})
+
+	t.Run("Init with missing `client_email` metadata", func(t *testing.T) {
+		m.Properties = map[string]string{
+			"dummy":          "a",
+			"private_key_id": "a",
+			"private_key":    "a",
+			"type":           "a",
+			"project_id":     "a",
+		}
+		err := sm.Init(ctx, m)
+		require.Error(t, err)
+		assert.Equal(t, errors.New("failed to setup secretmanager client: missing property `client_email` in metadata"), err)
+	})
+
+	t.Run("Init with missing `project_id` metadata", func(t *testing.T) {
+		m.Properties = map[string]string{
+			"type": "service_account",
+		}
+		err := sm.Init(ctx, m)
+		require.Error(t, err)
+		assert.Equal(t, err, errors.New("missing property `project_id` in metadata"))
 	})
 
 	t.Run("Init with missing `project_id` metadata", func(t *testing.T) {
@@ -91,6 +127,13 @@ func TestInit(t *testing.T) {
 		require.Error(t, err)
 		assert.Equal(t, err, errors.New("missing property `project_id` in metadata"))
 	})
+
+	t.Run("Init with empty metadata", func(t *testing.T) {
+		m.Properties = map[string]string{}
+		err := sm.Init(ctx, m)
+		require.Error(t, err)
+		assert.Equal(t, err, errors.New("missing property `project_id` in metadata"))
+	})
 }
 
 func TestGetSecret(t *testing.T) {