Skip to content

fix: missing auth header in impersonated service account credentials#556

Open
BSick7 wants to merge 1 commit into
googleapis:mainfrom
BSick7:service-account-impersonation
Open

fix: missing auth header in impersonated service account credentials#556
BSick7 wants to merge 1 commit into
googleapis:mainfrom
BSick7:service-account-impersonation

Conversation

@BSick7

@BSick7 BSick7 commented Dec 11, 2025

Copy link
Copy Markdown

This fixes an issue reporting that service account impersonation isn't working: #353.

The fixed code changes how ImpersonatedServiceAccountCredentials adds the auth header to its client. The primary issue was that the hash passed into the apply function is not mutated. Instead, the underlying implementations copies the hash, performs authentication, then returns the copy. The prepare_auth_header method was changed to align with the underlying implementation.

@BSick7
BSick7 requested a review from a team December 11, 2025 18:38
auth_header = {}
@source_credentials.updater_proc.call auth_header
auth_header
@source_credentials.updater_proc.call {}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For us we needed to keep defining the auth_header here. The fix seems to be removing auth_header from the return

def prepare_auth_header
  auth_header = {}
  @source_credentials.updater_proc.call auth_header
end

iamKunalGupta added a commit to iamKunalGupta/ubicloud that referenced this pull request Jul 14, 2026
Allow GCP to run without long-lived JSON service account keys
(control-plane key per location, per-timeline key on the VM for
WAL-G), mirroring the AWS provider's IAM-role path. The VM and
postgres layers are gated behind the new `gcp_postgres_iam_access`
config (default off); both key-based modes keep working unchanged.

With location_credential_gcp.credentials_json now nullable, the
control plane impersonates the location's service_account_email via
Application Default Credentials (requires
roles/iam.serviceAccountTokenCreator on the location service account).
With `gcp_postgres_iam_access` on, each VM gets its own service
account vm-<ubid> attached with cloud-platform scope, and postgres
servers grant it roles/storage.objectAdmin on their timeline bucket
instead of minting per-timeline keys; WAL-G authenticates through the
metadata server. Timelines with an existing access_key keep using it.
IAM propagation of a fresh account is retried at both the insert
rejection and the create operation failing with
EXTERNAL_RESOURCE_NOT_FOUND.

On destroy, grants are detached from the current and parent timeline
buckets before the service account is deleted, since a deleted
account's policy member becomes a deleted:...?uid= entry the detach
can no longer match. The resource row is gone before server strands
finish tearing down, so provider dispatch on PostgresServer falls back
to the VM's location.

lib/gcp_impersonated_credentials_patch.rb backports
googleapis/google-auth-library-ruby#556,
required for impersonation under GKE Workload Identity; remove it once
a googleauth release includes the fix.
iamKunalGupta added a commit to iamKunalGupta/ubicloud that referenced this pull request Jul 14, 2026
Allow GCP to run without long-lived JSON service account keys
(control-plane key per location, per-timeline key on the VM for
WAL-G), mirroring the AWS provider's IAM-role path. The VM and
postgres layers are gated behind the new `gcp_postgres_iam_access`
config (default off); both key-based modes keep working unchanged.

With location_credential_gcp.credentials_json now nullable, the
control plane impersonates the location's service_account_email via
Application Default Credentials (requires
roles/iam.serviceAccountTokenCreator on the location service account).
With `gcp_postgres_iam_access` on, each VM gets its own service
account vm-<ubid> attached with cloud-platform scope, and postgres
servers grant it roles/storage.objectAdmin on their timeline bucket
instead of minting per-timeline keys; WAL-G authenticates through the
metadata server. Timelines with an existing access_key keep using it.
IAM propagation of a fresh account is retried at both the insert
rejection and the create operation failing with
EXTERNAL_RESOURCE_NOT_FOUND.

On destroy, grants are detached from the current and parent timeline
buckets before the service account is deleted, since a deleted
account's policy member becomes a deleted:...?uid= entry the detach
can no longer match. The resource row is gone before server strands
finish tearing down, so provider dispatch on PostgresServer falls back
to the VM's location.

lib/gcp_impersonated_credentials_patch.rb backports
googleapis/google-auth-library-ruby#556,
required for impersonation under GKE Workload Identity; remove it once
a googleauth release includes the fix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants