mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
c5ac4b40e9
Teleport assumes that the `google` claim is present in the identity token that the Teleport service shares with Auth server. This is valid for VMs but it's not valid for GKE clusters using Workload identity and other GCP services. Teleport requests the identity token with `format=full` to receive this enhanced token.
Example of an identity token with a `google` claim:
```json
{
"iss": "[TOKEN_ISSUER]",
"iat": [ISSUED_TIME],
"exp": [EXPIRED_TIME],
"aud": "[AUDIENCE]",
"sub": "[SUBJECT]",
"azp": "[AUTHORIZED_PARTY]",
"google": {
"compute_engine": {
"project_id": "[PROJECT_ID]",
"project_number": [PROJECT_NUMBER],
"zone": "[ZONE]",
"instance_id": "[INSTANCE_ID]",
"instance_name": "[INSTANCE_NAME]",
"instance_creation_timestamp": [CREATION_TIMESTAMP],
"instance_confidentiality": [INSTANCE_CONFIDENTIALITY],
}
}
}
```
The problem arises when one tries to use GCP joining for a Teleport service running on a GKE pod. When inside a pod with a binding between the Kubernetes Service account and the Google IAM Service Account, Google's metadata service token does not include the `google` claim. so it fails to join the cluster because of the unknown `project_id`.
To bypass this limitation, this PR extracts the `project_id` from the Google Service Account Email claim
`<service_account_name>@<project_id>.iam.gserviceaccount.com`. We use regex to extract the `project_id` and ensure the email follows the specified format above. Tests were introduced to validate the email.
Fixes #28636
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
|
||
|---|---|---|
| .. | ||
| gcp.go | ||
| token_validator.go | ||
| token_validator_test.go | ||