GCP CLI support: API changes (#19785)

2024-10-19 16:53:57 +00:00 · 2023-01-11 13:19:32 +01:00 · 2023-01-11 13:19:32 +01:00 · 91032267d6
parent d72ac18247
commit 91032267d6
8 changed files with 2549 additions and 2221 deletions
--- a/api/client/proto/authservice.pb.go
+++ b/api/client/proto/authservice.pb.go
--- a/api/proto/teleport/legacy/client/proto/authservice.proto
+++ b/api/proto/teleport/legacy/client/proto/authservice.proto
@ -324,6 +324,8 @@ message RouteToApp {
  string AWSRoleARN = 5 [(gogoproto.jsontag) = "aws_role_arn,omitempty"];
  // AzureIdentity is the Azure identity to assume when accessing Azure API.
  string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity,omitempty"];
+  // GCPServiceAccount is the GCP service account to assume when accessing GCP API.
+  string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account,omitempty"];
 }

 // GetUserRequest specifies parameters for the GetUser method.
@ -706,6 +708,8 @@ message CreateAppSessionRequest {
  string AWSRoleARN = 5 [(gogoproto.jsontag) = "aws_role_arn"];
  // AzureIdentity is Azure identity the user wants to assume.
  string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity"];
+  // GCPServiceAccount is the GCP service account the user wants to assume.
+  string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account"];
 }

 // CreateAppSessionResponse contains the requested application web session.
--- a/api/proto/teleport/legacy/types/events/events.proto
+++ b/api/proto/teleport/legacy/types/events/events.proto
@ -75,11 +75,14 @@ message UserMetadata {
  // AWSRoleARN is AWS IAM role user assumes when accessing AWS console.
  string AWSRoleARN = 4 [(gogoproto.jsontag) = "aws_role_arn,omitempty"];

-  // AzureIdentity is the Azure identity to assume when accessing Azure API.
-  string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity,omitempty"];
-
  // AccessRequests are the IDs of access requests created by the user
  repeated string AccessRequests = 5 [(gogoproto.jsontag) = "access_requests,omitempty"];
+
+  // AzureIdentity is the Azure identity user assumes when accessing Azure API.
+  string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity,omitempty"];
+
+  // GCPServiceAccount is the GCP service account user assumes when accessing GCP API.
+  string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account,omitempty"];
 }

 // Server is a server metadata
@ -3287,6 +3290,8 @@ message Identity {
  ];
  // AzureIdentities is a list of allowed Azure identities user can assume.
  repeated string AzureIdentities = 24 [(gogoproto.jsontag) = "azure_identities,omitempty"];
+  // GCPServiceAccounts is a list of allowed GCP service accounts user can assume.
+  repeated string GCPServiceAccounts = 25 [(gogoproto.jsontag) = "gcp_service_accounts,omitempty"];
 }

 // RouteToApp contains parameters for application access certificate requests.
@ -3303,6 +3308,8 @@ message RouteToApp {
  string AWSRoleARN = 5 [(gogoproto.jsontag) = "aws_role_arn,omitempty"];
  // AzureIdentity is the Azure identity ot assume when accessing Azure API.
  string AzureIdentity = 6 [(gogoproto.jsontag) = "azure_identity,omitempty"];
+  // GCPServiceAccount is the GCP service account to assume when accessing GCP API.
+  string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account,omitempty"];
 }

 // RouteToDatabase combines parameters for database service routing information.
--- a/api/proto/teleport/legacy/types/types.proto
+++ b/api/proto/teleport/legacy/types/types.proto
@ -2433,6 +2433,9 @@ message RoleConditions {
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "kubernetes_resources,omitempty"
  ];
+
+  // GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
+  repeated string GCPServiceAccounts = 25 [(gogoproto.jsontag) = "gcp_service_accounts,omitempty"];
 }

 // KubernetesResource is the Kubernetes resource identifier.
--- a/api/types/app.go
+++ b/api/types/app.go
@ -63,6 +63,8 @@ type Application interface {
 	IsAWSConsole() bool
 	// IsAzureCloud returns true if this app represents Azure Cloud instance.
 	IsAzureCloud() bool
+	// IsGCP returns true if this app represents GCP instance.
+	IsGCP() bool
 	// IsTCP returns true if this app represents a TCP endpoint.
 	IsTCP() bool
 	// GetProtocol returns the application protocol.
@ -242,6 +244,11 @@ func (a *AppV3) IsAzureCloud() bool {
 	return a.Spec.Cloud == CloudAzure
 }

+// IsGCP returns true if this app is GCP instance.
+func (a *AppV3) IsGCP() bool {
+	return a.Spec.Cloud == CloudGCP
+}
+
 // IsTCP returns true if this app represents a TCP endpoint.
 func (a *AppV3) IsTCP() bool {
 	return strings.HasPrefix(a.Spec.URI, "tcp://")
--- a/api/types/events/events.pb.go
+++ b/api/types/events/events.pb.go
--- a/api/types/session.go
+++ b/api/types/session.go
@ -323,6 +323,8 @@ type CreateAppSessionRequest struct {
 	AWSRoleARN string `json:"aws_role_arn"`
 	// AzureIdentity is Azure identity this the user wants to assume.
 	AzureIdentity string `json:"azure_identity"`
+	// GCPServiceAccount is GCP service account this the user wants to assume.
+	GCPServiceAccount string `json:"gcp_service_account"`
 }

 // Check validates the request.
--- a/api/types/types.pb.go
+++ b/api/types/types.pb.go