-
Notifications
You must be signed in to change notification settings - Fork 327
Update internal GCP Auth to use new SignJWT endpoint #1389
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @catsby ! Thanks.
I think we'll also want to update 👇🏻 too?
waypoint/builtin/google/cloudrun/platform.go
Lines 154 to 157 in 1a46a87
apiResource := fmt.Sprintf("projects/%s/serviceAccounts/%s", | |
p.config.Project, | |
p.config.ServiceAccountName, | |
) |
I could see this needing a CHANGELOG entry only because in the future, older Waypoints will probably fail once the endpoint is deprecated? It might be nice in that sense to remember when the update to the new endpoint usage was released.
Hey @briancain - I believe the usage in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ran through a release to GCP with this and it works 🎉
90e55ad
to
f40e64b
Compare
The IAM endpoint to sign JWTs is deprecated, and users are asked to migrate to the Service Account Credentials API instead. See https://cloud.google.com/iam/docs/migrating-to-credentials-api
f40e64b
to
ff0bd88
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍🏻 looks good!
Updates Waypoints' internal GCP auth to use GCP's IAM Service Account Credential endpoint for signing JWTs, as the IAM endpoint versions are deprecated and being turned off (not totally sure when but speculation/inference is around July 1, 2021). See https://cloud.google.com/iam/docs/migrating-to-credentials-api for more information on the deprecation and migration.
I'm honestly not sure where this is used and there isn't a directly related test file associated with this, so I have not tested other than to ensure the project still compiles.
See also for more backstory:
Note: I added the
pr/no-changelog
label because I didn't feel this change warranted it, but let me know if you'd prefer one added