Update gcp-common/IAM Credentials API usage

Makefile

@@ -29,10 +29,10 @@ testcompile: fmtcheck generate
 	done
 
 test:
-	@go test -short -parallel=40 ./...
+	@go test -short -parallel=40 ./... $(TESTARGS)
 
 test-acc:
-	@go test -parallel=40 $(TESTARGS)
+	@go test -parallel=40 $(TEST) $(TESTARGS)
 # generate runs `go generate` to build the dynamically generated
 # source files.
 generate:

go.mod

@@ -3,19 +3,17 @@ module github.com/hashicorp/vault-plugin-auth-gcp
 go 1.12
 
 require (
-	github.com/golang/mock v1.4.3
+	github.com/golang/mock v1.5.0
 	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/go-cleanhttp v0.5.1
-	github.com/hashicorp/go-gcp-common v0.6.0
+	github.com/hashicorp/go-gcp-common v0.6.1-0.20210422195852-2fd33fd0a0e7
 	github.com/hashicorp/go-hclog v0.12.0
 	github.com/hashicorp/go-uuid v1.0.2
 	github.com/hashicorp/vault/api v1.0.5-0.20200215224050-f6547fa8e820
 	github.com/hashicorp/vault/sdk v0.1.14-0.20200427170607-03332aaf8d18
 	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
-	github.com/stretchr/testify v1.3.0
-	golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a
-	golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db // indirect
-	google.golang.org/api v0.3.2
-	google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107 // indirect
+	github.com/stretchr/testify v1.6.1
+	golang.org/x/oauth2 v0.0.0-20210413134643-5e61552d6c78
+	google.golang.org/api v0.45.0
 	gopkg.in/square/go-jose.v2 v2.3.1
 )

plugin/backend.go

@@ -16,13 +16,12 @@ import (
 	"google.golang.org/api/cloudresourcemanager/v1"
 	"google.golang.org/api/compute/v1"
 	"google.golang.org/api/iam/v1"
+	"google.golang.org/api/iamcredentials/v1"
 )
 
-var (
-	// cacheTime is the duration for which to cache clients and credentials. This
-	// must be less than 60 minutes.
-	cacheTime = 30 * time.Minute
-)
+// cacheTime is the duration for which to cache clients and credentials. This
+// must be less than 60 minutes.
+var cacheTime = 30 * time.Minute
 
 type GcpAuthBackend struct {
 	*framework.Backend
@@ -71,7 +70,14 @@ func Backend() *GcpAuthBackend {
 	return b
 }
 
-// IAMClient returns a new IAM client. The client is cached.
+// IAMClient returns a new IAM client. This client talks to the IAM endpoint,
+// for all things that are not signing JWTs. The SignJWT method in the IAM
+// client has been deprecated, but other methods are still valid and supported.
+//
+// See: https://pkg.go.dev/google.golang.org/api@v0.45.0/iam/v1 and:
+// https://cloud.google.com/iam/docs/migrating-to-credentials-api#iam-sign-jwt-go
+//
+// The client is cached.
 func (b *GcpAuthBackend) IAMClient(s logical.Storage) (*iam.Service, error) {
 	httpClient, err := b.httpClient(s)
 	if err != nil {
@@ -94,6 +100,35 @@ func (b *GcpAuthBackend) IAMClient(s logical.Storage) (*iam.Service, error) {
 	return client.(*iam.Service), nil
 }
 
+// IAMCredentialsClient returns a new IAM Service Account Credentials client.
+// This client talks to the IAM Service Credentials endpoint, for signing JWTs.
+//
+// See:
+// https://pkg.go.dev/google.golang.org/api@v0.45.0/iamcredentials/v1#pkg-overview
+//
+// The client is cached.
+func (b *GcpAuthBackend) IAMCredentialsClient(s logical.Storage) (*iamcredentials.Service, error) {
+	httpClient, err := b.httpClient(s)
+	if err != nil {
+		return nil, errwrap.Wrapf("failed to create IAM Service Account Credentials HTTP client: {{err}}", err)
+	}
+
+	client, err := b.cache.Fetch("iamcredentials", cacheTime, func() (interface{}, error) {
+		client, err := iamcredentials.New(httpClient)
+		if err != nil {
+			return nil, errwrap.Wrapf("failed to create IAM Service Account Credentials client: {{err}}", err)
+		}
+		client.UserAgent = useragent.String()
+
+		return client, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return client.(*iamcredentials.Service), nil
+}
+
 // ComputeClient returns a new Compute client. The client is cached.
 func (b *GcpAuthBackend) ComputeClient(s logical.Storage) (*compute.Service, error) {
 	httpClient, err := b.httpClient(s)

plugin/cli.go

@@ -5,22 +5,23 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strings"
+	"time"
+
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/go-gcp-common/gcputil"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/sdk/helper/parseutil"
 	"golang.org/x/oauth2"
-	"google.golang.org/api/iam/v1"
-	"strings"
-	"time"
+	"google.golang.org/api/iamcredentials/v1"
 )
 
 type CLIHandler struct{}
 
 func getSignedJwt(role string, m map[string]string) (string, error) {
 	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, cleanhttp.DefaultClient())
 
-	credentials, tokenSource, err := gcputil.FindCredentials(m["credentials"], ctx, iam.CloudPlatformScope)
+	credentials, tokenSource, err := gcputil.FindCredentials(m["credentials"], ctx, iamcredentials.CloudPlatformScope)
 	if err != nil {
 		return "", fmt.Errorf("could not obtain credentials: %v", err)
 	}
@@ -44,7 +45,7 @@ func getSignedJwt(role string, m map[string]string) (string, error) {
 		}
 	}
 
-	var ttl = time.Duration(defaultIamMaxJwtExpMinutes) * time.Minute
+	ttl := time.Duration(defaultIamMaxJwtExpMinutes) * time.Minute
 	jwtExpStr, ok := m["jwt_exp"]
 	if ok {
 		ttl, err = parseutil.ParseDurationSecond(jwtExpStr)
@@ -63,11 +64,11 @@ func getSignedJwt(role string, m map[string]string) (string, error) {
 		return "", fmt.Errorf("could not convert JWT payload to JSON string: %v", err)
 	}
 
-	jwtReq := &iam.SignJwtRequest{
+	jwtReq := &iamcredentials.SignJwtRequest{
 		Payload: string(payloadBytes),
 	}
 
-	iamClient, err := iam.New(httpClient)
+	iamClient, err := iamcredentials.New(httpClient)
 	if err != nil {
 		return "", fmt.Errorf("could not create IAM client: %v", err)
 	}
@@ -104,7 +105,6 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
 			"role": role,
 			"jwt":  loginToken,
 		})
-
 	if err != nil {
 		return nil, err
 	}

plugin/login_util.go

@@ -3,14 +3,15 @@ package gcpauth
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/hashicorp/go-gcp-common/gcputil"
-	"google.golang.org/api/iam/v1"
 	"time"
+
+	"github.com/hashicorp/go-gcp-common/gcputil"
+	"google.golang.org/api/iamcredentials/v1"
 )
 
 func ServiceAccountLoginJwt(
-	iamClient *iam.Service, exp time.Time, aud, project, serviceAccount string) (*iam.SignJwtResponse, error) {
-	accountResource := fmt.Sprintf(gcputil.ServiceAccountTemplate, project, serviceAccount)
+	iamClient *iamcredentials.Service, exp time.Time, aud, serviceAccount string) (*iamcredentials.SignJwtResponse, error) {
+	accountResource := fmt.Sprintf(gcputil.ServiceAccountTemplate, serviceAccount)
 
 	payload, err := json.Marshal(map[string]interface{}{
 		"sub": serviceAccount,
@@ -20,7 +21,7 @@ func ServiceAccountLoginJwt(
 	if err != nil {
 		return nil, err
 	}
-	jwtReq := &iam.SignJwtRequest{
+	jwtReq := &iamcredentials.SignJwtRequest{
 		Payload: string(payload),
 	}
 	return iamClient.Projects.ServiceAccounts.SignJwt(accountResource, jwtReq).Do()

plugin/path_login_test.go

@@ -178,12 +178,12 @@ func TestLogin_IAM(t *testing.T) {
 			}
 
 			// Build the JWT token
-			iamClient, err := b.IAMClient(storage)
+			iamClient, err := b.IAMCredentialsClient(storage)
 			if err != nil {
 				t.Fatal(err)
 			}
 			exp := time.Now().Add(10 * time.Minute)
-			jwt, err := ServiceAccountLoginJwt(iamClient, exp, "vault/"+role, creds.ProjectId, creds.ClientEmail)
+			jwt, err := ServiceAccountLoginJwt(iamClient, exp, "vault/"+role, creds.ClientEmail)
 			if err != nil {
 				t.Fatal(err)
 			}