feat(gcp): issue-5790: optional GCP service account email for WIF impersonation (#6273)

* updates GCP STS endpoints to use configured UniverseDomain

Signed-off-by: Bharath B <bhb@redhat.com>

* issue-5790: feat(gcp): optional GCP service account email for WIF impersonation

Signed-off-by: Bharath B <bhb@redhat.com>

---------

Signed-off-by: Bharath B <bhb@redhat.com>
Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>

apis/externalsecrets/v1/secretstore_gcpsm_types.go

@@ -117,6 +117,18 @@ type GCPWorkloadIdentityFederation struct {
 	// URL is having the expected value.
 	// +kubebuilder:validation:Optional
 	ExternalTokenEndpoint string `json:"externalTokenEndpoint,omitempty"`
+
+	// GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+	// after Workload Identity Federation. Use this to grant access through the service account's
+	// IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+	// service_account_impersonation_url in the external account JSON from credConfig;
+	// when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
+	// on that ServiceAccount.
+	// +kubebuilder:example:="my-gsa@my-project.iam.gserviceaccount.com"
+	// +kubebuilder:validation:Pattern:=^.*@.*\.iam\.gserviceaccount\.com$
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:Optional
+	GCPServiceAccountEmail string `json:"gcpServiceAccountEmail,omitempty"`
 }
 
 // ConfigMapReference holds the details of a configmap.

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -2156,6 +2156,18 @@ spec:
                                   credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                   URL is having the expected value.
                                 type: string
+                              gcpServiceAccountEmail:
+                                description: |-
+                                  GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+                                  after Workload Identity Federation. Use this to grant access through the service account's
+                                  IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+                                  service_account_impersonation_url in the external account JSON from credConfig;
+                                  when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
+                                  on that ServiceAccount.
+                                example: my-gsa@my-project.iam.gserviceaccount.com
+                                minLength: 1
+                                pattern: ^.*@.*\.iam\.gserviceaccount\.com$
+                                type: string
                               serviceAccountRef:
                                 description: |-
                                   serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -2156,6 +2156,18 @@ spec:
                                   credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                   URL is having the expected value.
                                 type: string
+                              gcpServiceAccountEmail:
+                                description: |-
+                                  GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+                                  after Workload Identity Federation. Use this to grant access through the service account's
+                                  IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+                                  service_account_impersonation_url in the external account JSON from credConfig;
+                                  when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
+                                  on that ServiceAccount.
+                                example: my-gsa@my-project.iam.gserviceaccount.com
+                                minLength: 1
+                                pattern: ^.*@.*\.iam\.gserviceaccount\.com$
+                                type: string
                               serviceAccountRef:
                                 description: |-
                                   serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,

config/crds/bases/generators.external-secrets.io_clustergenerators.yaml

@@ -603,6 +603,18 @@ spec:
                                   credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                   URL is having the expected value.
                                 type: string
+                              gcpServiceAccountEmail:
+                                description: |-
+                                  GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+                                  after Workload Identity Federation. Use this to grant access through the service account's
+                                  IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+                                  service_account_impersonation_url in the external account JSON from credConfig;
+                                  when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
+                                  on that ServiceAccount.
+                                example: my-gsa@my-project.iam.gserviceaccount.com
+                                minLength: 1
+                                pattern: ^.*@.*\.iam\.gserviceaccount\.com$
+                                type: string
                               serviceAccountRef:
                                 description: |-
                                   serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,

config/crds/bases/generators.external-secrets.io_gcraccesstokens.yaml

@@ -213,6 +213,18 @@ spec:
                           credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                           URL is having the expected value.
                         type: string
+                      gcpServiceAccountEmail:
+                        description: |-
+                          GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+                          after Workload Identity Federation. Use this to grant access through the service account's
+                          IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+                          service_account_impersonation_url in the external account JSON from credConfig;
+                          when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
+                          on that ServiceAccount.
+                        example: my-gsa@my-project.iam.gserviceaccount.com
+                        minLength: 1
+                        pattern: ^.*@.*\.iam\.gserviceaccount\.com$
+                        type: string
                       serviceAccountRef:
                         description: |-
                           serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,

deploy/crds/bundle.yaml

@@ -4256,6 +4256,18 @@ spec:
                                     credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                     URL is having the expected value.
                                   type: string
+                                gcpServiceAccountEmail:
+                                  description: |-
+                                    GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+                                    after Workload Identity Federation. Use this to grant access through the service account's
+                                    IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+                                    service_account_impersonation_url in the external account JSON from credConfig;
+                                    when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
+                                    on that ServiceAccount.
+                                  example: my-gsa@my-project.iam.gserviceaccount.com
+                                  minLength: 1
+                                  pattern: ^.*@.*\.iam\.gserviceaccount\.com$
+                                  type: string
                                 serviceAccountRef:
                                   description: |-
                                     serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
@@ -16497,6 +16509,18 @@ spec:
                                     credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                     URL is having the expected value.
                                   type: string
+                                gcpServiceAccountEmail:
+                                  description: |-
+                                    GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+                                    after Workload Identity Federation. Use this to grant access through the service account's
+                                    IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+                                    service_account_impersonation_url in the external account JSON from credConfig;
+                                    when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
+                                    on that ServiceAccount.
+                                  example: my-gsa@my-project.iam.gserviceaccount.com
+                                  minLength: 1
+                                  pattern: ^.*@.*\.iam\.gserviceaccount\.com$
+                                  type: string
                                 serviceAccountRef:
                                   description: |-
                                     serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
@@ -25619,6 +25643,18 @@ spec:
                                     credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                     URL is having the expected value.
                                   type: string
+                                gcpServiceAccountEmail:
+                                  description: |-
+                                    GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+                                    after Workload Identity Federation. Use this to grant access through the service account's
+                                    IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+                                    service_account_impersonation_url in the external account JSON from credConfig;
+                                    when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
+                                    on that ServiceAccount.
+                                  example: my-gsa@my-project.iam.gserviceaccount.com
+                                  minLength: 1
+                                  pattern: ^.*@.*\.iam\.gserviceaccount\.com$
+                                  type: string
                                 serviceAccountRef:
                                   description: |-
                                     serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
@@ -27772,6 +27808,18 @@ spec:
                             credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                             URL is having the expected value.
                           type: string
+                        gcpServiceAccountEmail:
+                          description: |-
+                            GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+                            after Workload Identity Federation. Use this to grant access through the service account's
+                            IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+                            service_account_impersonation_url in the external account JSON from credConfig;
+                            when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
+                            on that ServiceAccount.
+                          example: my-gsa@my-project.iam.gserviceaccount.com
+                          minLength: 1
+                          pattern: ^.*@.*\.iam\.gserviceaccount\.com$
+                          type: string
                         serviceAccountRef:
                           description: |-
                             serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,

docs/api/spec.md

@@ -5772,6 +5772,22 @@ credential_source.url in the provided credConfig. This field is merely to double
 URL is having the expected value.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>gcpServiceAccountEmail</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
+after Workload Identity Federation. Use this to grant access through the service account&rsquo;s
+IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
+service_account_impersonation_url in the external account JSON from credConfig;
+when serviceAccountRef is set, it also overrides the &ldquo;iam.gke.io/gcp-service-account&rdquo; annotation
+on that ServiceAccount.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1.GcpIDTokenAuthCredentials">GcpIDTokenAuthCredentials

providers/v1/gcp/secretmanager/workload_identity.go

@@ -75,11 +75,13 @@ var (
 	// workloadIdentityRequestedTokenType is the requested type for OAuth 2.0 access token.
 	workloadIdentityRequestedTokenType = "urn:ietf:params:oauth:token-type:access_token"
 
-	// workloadIdentityTokenURL is the token service endpoint.
-	workloadIdentityTokenURL = "https://sts.googleapis.com/v1/token"
+	// workloadIdentityTokenURLFormat is the token service endpoint format. When the UniverseDomain is not set
+	// in the GCP credentials config, defaultUniverseDomain will be substituted.
+	workloadIdentityTokenURLFormat = "https://sts.%s/v1/token"
 
-	// workloadIdentityTokenInfoURL is the STS introspection service endpoint.
-	workloadIdentityTokenInfoURL = "https://sts.googleapis.com/v1/introspect"
+	// workloadIdentityTokenInfoURLFormat is the STS introspection service endpoint format. When the UniverseDomain is not set
+	// in the GCP credentials config, defaultUniverseDomain will be substituted.
+	workloadIdentityTokenInfoURLFormat = "https://sts.%s/v1/introspect"
 )
 
 // workloadIdentity holds all clients and generators needed

providers/v1/gcp/secretmanager/workload_identity_federation.go

@@ -106,10 +106,16 @@ type serviceAccountImpersonationInfo struct {
 }
 
 var (
+	gcpSTSTokenURLRegex                 = regexp.MustCompile(`^https://sts\.[^/\s]+/v1/token$`)
+	gcpSTSTokenInfoURLRegex             = regexp.MustCompile(`^https://sts\.[^/\s]+/v1/introspect$`)
 	awsSTSTokenURLRegex                 = regexp.MustCompile(`^http://(metadata\.google\.internal|169\.254\.169\.254|\[fd00:ec2::254\])/latest/meta-data/iam/security-credentials$`)
 	awsRegionURLRegex                   = regexp.MustCompile(`^http://(metadata\.google\.internal|169\.254\.169\.254|\[fd00:ec2::254\])/latest/meta-data/placement/availability-zone$`)
 	awsSessionTokenURLRegex             = regexp.MustCompile(`^http://(metadata\.google\.internal|169\.254\.169\.254|\[fd00:ec2::254\])/latest/api/token$`)
-	serviceAccountImpersonationURLRegex = regexp.MustCompile(`^https://iamcredentials\.googleapis\.com/v1/projects/-/serviceAccounts/(\S+):generateAccessToken$`)
+	serviceAccountImpersonationURLRegex = regexp.MustCompile(
+		`^https://iamcredentials\.(?:[a-z0-9-]+\.)*googleapis\.com` +
+			`/v1/projects/[^/]+/serviceAccounts/` +
+			`[a-z0-9-]+@[a-z0-9-]+\.iam\.gserviceaccount\.com:generateAccessToken$`,
+	)
 )
 
 const (
@@ -172,13 +178,20 @@ func (w *workloadIdentityFederation) TokenSource(ctx context.Context) (oauth2.To
 	return externalaccount.NewTokenSource(ctx, *config)
 }
 
-func (w *workloadIdentityFederation) getGCPServiceAccountFromAnnotation(ctx context.Context, cfg *externalaccount.Config) error {
+// updateServiceAccountImpersonationURL sets cfg.ServiceAccountImpersonationURL for GCP service account
+// impersonation after the external account config is merged. When GCPServiceAccountEmail is set on the
+// spec, it wins over service_account_impersonation_url from credConfig and over the "iam.gke.io/gcp-service-account"
+// annotation on the referenced Kubernetes ServiceAccount. Otherwise, if serviceAccountRef is set, the
+// ServiceAccount is loaded and the gcp-service-account annotation is applied when present.
+func (w *workloadIdentityFederation) updateServiceAccountImpersonationURL(ctx context.Context, cfg *externalaccount.Config) error {
+	if w.config.GCPServiceAccountEmail != "" {
+		cfg.ServiceAccountImpersonationURL = fmt.Sprintf(workloadIdentityFederationServiceAccountImpersonationURLFormat, w.config.GCPServiceAccountEmail)
+		return nil
+	}
+
 	if w.config.ServiceAccountRef == nil {
 		return nil
 	}
-	// look up the service account and check if it has a well-known GCP WI annotation.
-	// If so, use that GCP service account for impersonation.
-	// Required if you grant secret access to a GCP service account instead of direct resource access.
 	ns := w.namespace
 	if w.isClusterKind && w.config.ServiceAccountRef.Namespace != nil {
 		ns = *w.config.ServiceAccountRef.Namespace
@@ -244,7 +257,7 @@ func (w *workloadIdentityFederation) generateExternalAccountConfig(ctx context.C
 	if err := w.updateExternalAccountConfigWithAWSCredentialsSupplier(ctx, config); err != nil {
 		return nil, err
 	}
-	if err := w.getGCPServiceAccountFromAnnotation(ctx, config); err != nil {
+	if err := w.updateServiceAccountImpersonationURL(ctx, config); err != nil {
 		return nil, err
 	}
 	w.updateExternalAccountConfigWithDefaultValues(config)
@@ -294,14 +307,14 @@ func (w *workloadIdentityFederation) updateExternalAccountConfigWithDefaultValue
 	if config.SubjectTokenType == "" {
 		config.SubjectTokenType = workloadIdentitySubjectTokenType
 	}
+	if config.UniverseDomain == "" {
+		config.UniverseDomain = defaultUniverseDomain
+	}
 	if config.TokenURL == "" {
-		config.TokenURL = workloadIdentityTokenURL
+		config.TokenURL = fmt.Sprintf(workloadIdentityTokenURLFormat, config.UniverseDomain)
 	}
 	if config.TokenInfoURL == "" {
-		config.TokenInfoURL = workloadIdentityTokenInfoURL
-	}
-	if config.UniverseDomain == "" {
-		config.UniverseDomain = defaultUniverseDomain
+		config.TokenInfoURL = fmt.Sprintf(workloadIdentityTokenInfoURLFormat, config.UniverseDomain)
 	}
 }
 
@@ -384,10 +397,13 @@ func validateExternalAccountConfig(config *externalaccount.Config, wif *esv1.GCP
 	}
 	if config.ServiceAccountImpersonationURL != "" &&
 		!serviceAccountImpersonationURLRegex.MatchString(config.ServiceAccountImpersonationURL) {
-		errs = append(errs, fmt.Errorf("service_account_impersonation_url \"%s\" does not have expected value", config.ServiceAccountImpersonationURL))
+		errs = append(errs, fmt.Errorf("service_account_impersonation_url \"%s\" must match \"%s\"", config.ServiceAccountImpersonationURL, serviceAccountImpersonationURLRegex.String()))
+	}
+	if !gcpSTSTokenURLRegex.MatchString(config.TokenURL) {
+		errs = append(errs, fmt.Errorf("token_url \"%s\" must match \"%s\"", config.TokenURL, gcpSTSTokenURLRegex.String()))
 	}
-	if config.TokenURL != workloadIdentityTokenURL {
-		errs = append(errs, fmt.Errorf("token_url \"%s\" must match %s", config.TokenURL, workloadIdentityTokenURL))
+	if !gcpSTSTokenInfoURLRegex.MatchString(config.TokenInfoURL) {
+		errs = append(errs, fmt.Errorf("token_info_url \"%s\" must match \"%s\"", config.TokenInfoURL, gcpSTSTokenInfoURLRegex.String()))
 	}
 	if config.CredentialSource != nil {
 		errs = append(errs, validateCredConfigCredentialSource(config.CredentialSource, wif)...)
@@ -423,13 +439,13 @@ func validateCredConfigAWSCredentialSource(credSource *externalaccount.Credentia
 			errs = append(errs, fmt.Errorf("credential_source.environment_id \"%s\" must start with %s", credSource.EnvironmentID, awsEnvironmentIDPrefix))
 		}
 		if !awsSTSTokenURLRegex.MatchString(credSource.URL) {
-			errs = append(errs, fmt.Errorf("credential_source.aws.url \"%s\" does not have expected value", credSource.URL))
+			errs = append(errs, fmt.Errorf("credential_source.aws.url \"%s\" must match \"%s\"", credSource.URL, awsSTSTokenURLRegex.String()))
 		}
 		if !awsRegionURLRegex.MatchString(credSource.RegionURL) {
-			errs = append(errs, fmt.Errorf("credential_source.aws.region_url \"%s\" does not have expected value", credSource.RegionURL))
+			errs = append(errs, fmt.Errorf("credential_source.aws.region_url \"%s\" must match \"%s\"", credSource.RegionURL, awsRegionURLRegex.String()))
 		}
 		if credSource.IMDSv2SessionTokenURL != "" && !awsSessionTokenURLRegex.MatchString(credSource.IMDSv2SessionTokenURL) {
-			errs = append(errs, fmt.Errorf("credential_source.aws.imdsv2_session_token_url \"%s\" does not have expected value", credSource.IMDSv2SessionTokenURL))
+			errs = append(errs, fmt.Errorf("credential_source.aws.imdsv2_session_token_url \"%s\" must match \"%s\"", credSource.IMDSv2SessionTokenURL, awsSessionTokenURLRegex.String()))
 		}
 	}
 	return errs

tests/__snapshot__/clustergenerator-v1alpha1.yaml

@@ -87,6 +87,7 @@ spec:
             name: string
             namespace: string
           externalTokenEndpoint: string
+          gcpServiceAccountEmail: "my-gsa@my-project.iam.gserviceaccount.com"
           serviceAccountRef:
             audiences: [] # minItems 0 of type string
             name: string

tests/__snapshot__/clustersecretstore-v1.yaml

@@ -327,6 +327,7 @@ spec:
             name: string
             namespace: string
           externalTokenEndpoint: string
+          gcpServiceAccountEmail: "my-gsa@my-project.iam.gserviceaccount.com"
           serviceAccountRef:
             audiences: [] # minItems 0 of type string
             name: string

tests/__snapshot__/gcraccesstoken-v1alpha1.yaml

@@ -28,6 +28,7 @@ spec:
         name: string
         namespace: string
       externalTokenEndpoint: string
+      gcpServiceAccountEmail: "my-gsa@my-project.iam.gserviceaccount.com"
       serviceAccountRef:
         audiences: [] # minItems 0 of type string
         name: string

tests/__snapshot__/secretstore-v1.yaml

@@ -327,6 +327,7 @@ spec:
             name: string
             namespace: string
           externalTokenEndpoint: string
+          gcpServiceAccountEmail: "my-gsa@my-project.iam.gserviceaccount.com"
           serviceAccountRef:
             audiences: [] # minItems 0 of type string
             name: string