GCP Authenticator support of Cloud Functions

[InbalZilberman]

Feature Overview

The gcp auth method allows Google Cloud Platform entities to authenticate to DAP/Conjur using metadata token enable them to fetch secrets. We need authenticate these entities against the Google Cloud APIs. The supported entities should be:

• Google Compute Engine (GCE) instances
• Cloud Functions

Later stage:

• App engines
• Pods

This feature doc will introduce the way we support authenticating cloud function which is basically VERY similar to GCE just without instance name and project id.

We will add a new validation while loading policy for host that is going to use GCP annotations.

You may ask your selves why not do it for all authenticators - the answer is lets do it in stages.

Related Documents

Name	Location
Verifying the Identity of Instances	https://cloud.google.com/compute/docs/instances/verifying-instance-identity
GCE authenticator first feature doc	https://app.zenhub.com/workspaces/palmtree-5d99d900491c060001c85cba/issues/cyberark/conjur/1711

Milestones

• Milestone 1 Authn-gcp for cloud function
• Milestone 2 Release
• Milestone 3 Add validations for policy loading

Process Logic for GCE & Cloud function

1. Martin, conjur admin, define gcp authenticator

   - !policy
     id: conjur/authn-gcp
     body:
     - !webservice
    
     - !variable
       id: provider-uri 
          
     - !group apps
       annotations:
         description: Group of hosts that can authenticate using the authn-gcp authenticator
      
     - !permit
       role: !group apps
       privilege: [ read, authenticate ]
       resource: !webservice
   

2. Martin, conjur admin, or Eva, developer with permissions to Conjur define host

- !policy
  id: <policy-id>
  body:
    - !group

    - &hosts
      - !host
        id: myapp
        annotations:
          #ONLY gce
		  authn-gcp/instance-name: <instance-name>
		  authn-gcp/project-id: <project-id>
          #gce & Cloud Functions
          authn-gcp/service-account-id: <service-account-id>
          authn-gcp/service-account-email: <service-account-email>
          
    - !grant
      role: !group
      members: *hosts
         
- !grant
  role: !group /conjur/authn-gcp/apps
  member: !group <policy-id>

Constrains

At least one of the following should be provided

instance-name OR project-id OR service-account-id OR service-account-email

One can have several authentication details together for example:

instance-name AND project-id

For GCE all the authentication details are valid YET for Cloud function only service-account-id OR service-account-email

Validations

New validations are added once the policy is loaded

Validation	Level
onlyinstance-name OR project-id OR service-account-id OR service-account-emailare valid values after authn-gcp/	Error (policy fails to load)
service-account-id's value is numeric only	Error
service-account-email's value has a valid email structure	Error

3. The app developer tries to obtain an Identity Token using Conjur audience

The below snippet depicts a curl request to obtain an identity token:

curl -H ``"Metadata-Flavor: Google" \ 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]&format=[FORMAT]'

Replace the following:

• AUDIENCE - DAP host id, in the following format: conjur/[conjur-account-name]/host/[host-id]. (Audience is the unique URI agreed upon by both the token sender and receiver and used for validation of the token)
• FORMAT - DAP expects an identity token in full format**.** Use the value: full. (Format is the parameter that specifies whether or not the project and instance details are included in the payload.)

As a result JWT is received

GCE token:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjRlNGViZTQ4N2Q1Y2RmMmIwMjZhM2IyMjlkODZmMGQ0MjU4NDQ5ZmUiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJo
dHRwOi8vdmF1bHQvY29uanVyIiwiYXpwIjoiMTEwOTg3Mjk0MjUxOTE3ODUxMjk4IiwiZW1haWwiOiI3MTYxNDkxNTgzNDEtY29tcHV0ZUBkZXZlbG9
wZXIuZ3Nlc..UjMBcLyHcNPZjLebpm2dRSV4aRwwdnTdY2XxFGCOge19O8FTaF0Awv-FupLKwfTqvG6RUv49zABQGQpm
uOp13XYZ6NnORNBuFG6YKs5udBSm2HVP4fyHGWMj4NMwxmKljG3xKAmrhU_xOQZt11TuTfe_vnqp7pt1gtXmdAH9Q5sHqfNODozPAkQyUqO5jmjFJ16

{ "aud": "http://vault/conjur", "azp": "110987294251917851298", "email": "[email protected]", "email_verified": true, "exp": 1595160638, "google": { "compute_engine": { "instance_creation_timestamp": 1595155766, "instance_id": "4340508760561261530", "instance_name": "vm-for-gcp", "project_id": "eng-serenity-231813", "project_number": 716149158341, "zone": "us-central1-a" } }, "iat": 1595157038, "iss": "https://accounts.google.com", "sub": "110987294251917851298" }

Google Functions token:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjRlNGViZTQ4N2Q1Y2RmMmIwMjZhM2IyMjlkODZmMGQ0MjU4NDQ5ZmUiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL3VzLWNlbnRyYWwxLWVuZy1zZXJlbml0eS0yMzE4MTMuY2xvdWRmdW5jdGlvbnMubmV0L2Z1bmN0aW9uLWlkZW50aXR5IiwiYXpwIjoiMTE2NTYy..wIDIjp29v7yuEdiz1GUmdJ9mDk80qllirgCkldv7vpgw5nFUMrRcbctRSLNkucDHaJeYzI-WuzK-Xb6oEI4QVm0NwvF7gjL2u6yKr4XKtoHN_6QVKMPXVzjWe8p2ojz_4asyOuqju-QTPXutwRkZbc_8JQ-XulYwccMRob5lmdp9ja-A

{ "aud": "https://us-central1-eng-serenity-231813.cloudfunctions.net/function-identity", "azp": "116562654706290285267", "email": "[email protected]", "email_verified": true, "exp": 1595421071, "iat": 1595417471, "iss": "https://accounts.google.com", "sub": "116562654706290285267" } or { "aud": "conjur/my-org/host/my-app", "azp": "117042636860576770546", "email": "[email protected]", "email_verified": true, "exp": 1598804633, "iat": 1598801033, "iss": "https://accounts.google.com", "sub": "117042636860576770546" }

4. Call the /authn-gcp
   POST https:///authn-gcp//myapp/authenticate
   with JWT

Header	Content-Type: application/x-www-form-urlencoded Accept-Encoding: base64
Body	The body must include the JWT for GCP instance. jwt=eyJhbGciOiJSUzI1NiIs......uTonCA

The authenticator is expected to use the certificate of GCP to decode the JWT and then compare the host annotations to the fields in the JWT as follows:

1. Validate the JWT with the provider (according to claim, experations....)
2. Validate the audience is host id (as in the current authn-gcp)
3. Validate that the host has the right host identity as written in the JWT

JWT field	Correlated host annotation	Remarks
google/compute_engine/instance_name	authn-gcp/instance_name	Relevant ONLY to GCE
google/compute_engine/project_id	authn-gcp/project_id	Relevant ONLY to GCE
sub	authn-gcp/service_account_id	Relevant to both GCE & Cloud Function
email	authn-gcp/service_account_email	Relevant to both GCE & Cloud Function

Open issues

1. Do we support App engine theoretically the same way?

General Analysis

Audit

all authentications calls should be audited**. failures too**

Status API

Any new Authenticator that is added has it's status API. GCP authenticator allready has it, yay!

Support Matrix

• Latest DAP and Conjur OSS

Installation

New / Upgrade / Repair / Uninstall

Backward Compatibility

Old GCE functionality should work with this authenticator

Performance

1 sec SLA for one call