Skip to content

Commit 47b89bd

Browse files
committed
GCP: Use WithCredentialsJSON when Possible
Prior to this commit, using a GCP Service Account with a Key failed in scenarios where an alternate UNIVERSE_DOMAIN is needed. The GCP SDK codepath for WithCredentialsJSON will correctly determine the Universe Domain, so we should call that whenever our credentials contain the private key.
1 parent e114840 commit 47b89bd

3 files changed

Lines changed: 14 additions & 3 deletions

File tree

pkg/asset/installconfig/gcp/client.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -720,7 +720,7 @@ func (c *Client) GetNamespacedTagValue(ctx context.Context, tagNamespacedName st
720720
}
721721

722722
func (c *Client) getKeyManagementClient(ctx context.Context) (*kms.KeyManagementClient, error) {
723-
kmsClient, err := kms.NewKeyManagementClient(ctx, option.WithCredentials(c.ssn.Credentials))
723+
kmsClient, err := kms.NewKeyManagementClient(ctx, CredentialOption(c.ssn))
724724
if err != nil {
725725
return nil, fmt.Errorf("failed to create kms key management client: %w", err)
726726
}

pkg/asset/installconfig/gcp/services.go

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,17 @@ func CreateEndpointOption(endpointName string, service ServiceNameGCP) option.Cl
5959
return option.WithEndpoint(endpoint)
6060
}
6161

62+
// CredentialOption returns the appropriate client option for the session credentials.
63+
// When raw credential JSON is available, WithCredentialsJSON is used so that the
64+
// Google API library can apply self-signed JWT authentication for non-default
65+
// universe domains (e.g., Google Cloud Dedicated).
66+
func CredentialOption(ssn *Session) option.ClientOption {
67+
if len(ssn.Credentials.JSON) > 0 {
68+
return option.WithCredentialsJSON(ssn.Credentials.JSON)
69+
}
70+
return option.WithCredentials(ssn.Credentials)
71+
}
72+
6273
// getOptions creates the options for use during service creation.
6374
func getOptions(ctx context.Context) ([]option.ClientOption, error) {
6475
ssn, err := GetSession(ctx)
@@ -67,7 +78,7 @@ func getOptions(ctx context.Context) ([]option.ClientOption, error) {
6778
}
6879

6980
options := []option.ClientOption{
70-
option.WithCredentials(ssn.Credentials),
81+
CredentialOption(ssn),
7182
}
7283
return options, nil
7384
}

pkg/quota/gcp/gcp.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ func Load(ctx context.Context, project string, endpoint *gcptypes.PSCEndpoint, s
3535
if err != nil {
3636
return nil, errors.Wrap(err, "failed to create services svc")
3737
}
38-
metricsOptions := []option.ClientOption{option.WithCredentials(ssn.Credentials)}
38+
metricsOptions := []option.ClientOption{gcpconfig.CredentialOption(ssn)}
3939
metricsSvc, err := monitoring.NewMetricClient(ctx, metricsOptions...)
4040
if err != nil {
4141
return nil, errors.Wrap(err, "failed to create metrics svc")

0 commit comments

Comments
 (0)