Remove explicit project for service account in GCE authorizer (#58)

* remove explicit project for service account * add project back into gce authorizer object
hashicorp · Dec 10, 2018 · 4d63bbf · 4d63bbf
1 parent 0a3edf0
commit 4d63bbf
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/plugin/authorizer_gce.go b/plugin/authorizer_gce.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/helper/strutil"
 )
 
@@ -140,12 +141,11 @@ func AuthorizeGCE(ctx context.Context, i *AuthorizeGCEInput) error {
 	// Verify instance is running under one of the allowed service accounts.
 	if len(i.boundServiceAccounts) > 0 {
 		// ServiceAccount wraps a call to the GCP IAM API to get a service account.
-		name := fmt.Sprintf("projects/%s/serviceAccounts/%s", i.project, i.serviceAccount)
+		name := fmt.Sprintf("projects/-/serviceAccounts/%s", i.serviceAccount)
 
 		saId, saEmail, err := i.client.ServiceAccount(ctx, name)
 		if err != nil {
-			return fmt.Errorf("could not find service account %q in project %q: %s",
-				i.serviceAccount, i.project, err)
+			return errwrap.Wrapf(fmt.Sprintf("could not find service account %q: {{err}}", i.serviceAccount), err)
 		}
 
 		if !(strutil.StrListContains(i.boundServiceAccounts, saEmail) ||

diff --git a/plugin/path_login.go b/plugin/path_login.go
@@ -442,7 +442,7 @@ func (b *GcpAuthBackend) pathGceLogin(ctx context.Context, req *logical.Request,
 			metadata.ProjectId, metadata.Zone, metadata.InstanceName, err)), nil
 	}
 
-	if err := b.authorizeGCEInstance(ctx, instance, req.Storage, role, loginInfo.EmailOrId); err != nil {
+	if err := b.authorizeGCEInstance(ctx, metadata.ProjectId, instance, req.Storage, role, loginInfo.EmailOrId); err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
 
@@ -575,7 +575,7 @@ func (b *GcpAuthBackend) pathGceRenew(ctx context.Context, req *logical.Request,
 	if !ok {
 		return errors.New("invalid auth metadata: service_account_id not found")
 	}
-	if err := b.authorizeGCEInstance(ctx, instance, req.Storage, role, serviceAccountId); err != nil {
+	if err := b.authorizeGCEInstance(ctx, meta.ProjectId, instance, req.Storage, role, serviceAccountId); err != nil {
 		return fmt.Errorf("could not renew token for role %s: %v", roleName, err)
 	}
 
@@ -631,7 +631,7 @@ func getInstanceMetadataFromAuth(authMetadata map[string]string) (*gcputil.GCEId
 
 // authorizeGCEInstance returns an error if the given GCE instance is not
 // authorized for the role.
-func (b *GcpAuthBackend) authorizeGCEInstance(ctx context.Context, instance *compute.Instance, s logical.Storage, role *gcpRole, serviceAccountId string) error {
+func (b *GcpAuthBackend) authorizeGCEInstance(ctx context.Context, project string, instance *compute.Instance, s logical.Storage, role *gcpRole, serviceAccountId string) error {
 	httpC, err := b.httpClient(ctx, s)
 	if err != nil {
 		return err
@@ -652,8 +652,8 @@ func (b *GcpAuthBackend) authorizeGCEInstance(ctx context.Context, instance *com
 			computeSvc: gceClient,
 			iamSvc:     iamClient,
 		},
-		serviceAccount: serviceAccountId,
-
+		serviceAccount:   serviceAccountId,
+		project:          project,
 		instanceLabels:   instance.Labels,
 		instanceSelfLink: instance.SelfLink,
 		instanceZone:     instance.Zone,