Skip to content

fix(secretstores.googlecloud): Handle public GCP service account keys correctly #18785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crflanigan wants to merge 7 commits into
base: master
Choose a base branch
from
+21 −0
Open

fix(secretstores.googlecloud): Handle public GCP service account keys correctly #18785

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
26066a8
secretstores/googlecloud: default minimal Cloud Monitoring scope for …
Apr 18, 2026
895dc3e
rename scopes to credential_scopes to stop collision with existing em…
Apr 23, 2026
30f13ed
Update plugins/secretstores/googlecloud/sample.conf
crflanigan Apr 27, 2026
7792ab0
Run make docs
Apr 28, 2026
64f3355
Update plugins/secretstores/googlecloud/googlecloud.go
crflanigan Apr 29, 2026
385229f
Update plugins/secretstores/googlecloud/googlecloud.go
crflanigan Apr 29, 2026
a050263
Remove dead code, default to more compatible API endpoint, update docs
May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions plugins/secretstores/googlecloud/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@ store usage.
## Path to the service account credentials file
credentials_file = "./testdata/gdch.json"

## OAuth2 scopes for the generated access token.
## Defaults to cloud-platform for service-account credentials.
## GDCH/STS users can ignore this option as only the audience
## parameter is evaluated for those credential types.
# scopes = ["https://www.googleapis.com/auth/cloud-platform"]

## Audience sent to when retrieving an STS token.
## Currently only used for GDCH auth flow
sts_audience = "https://{AUDIENCE_URL}"
Expand Down
9 changes: 9 additions & 0 deletions plugins/secretstores/googlecloud/googlecloud.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,18 @@ func (g *GoogleCloud) Init() error {
if err != nil {
return fmt.Errorf("unable to parse credentials file type: %w", err)
}

// Default to cloud-platform scope for standard public-GCP service-account JSON keys.
// This covers all GCP APIs; actual permissions are still gated by IAM roles.
// GDCH/STS users continue to rely exclusively on sts_audience (Scopes is ignored).
if len(g.Scopes) == 0 && credType == "service_account" {
g.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"}
}

saType := credentials.CredType(credType)

creds, err := credentials.NewCredentialsFromJSON(saType, serviceAccount, &credentials.DetectOptions{
Scopes: g.Scopes,
STSAudience: g.STSAudience,
Client: client,
Logger: slog.NewLogger(g.Log),
Expand Down
6 changes: 6 additions & 0 deletions plugins/secretstores/googlecloud/sample.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,12 @@
## Path to the service account credentials file
credentials_file = "./testdata/gdch.json"

## OAuth2 scopes for the generated access token.
## Defaults to cloud-platform for service-account credentials.
## GDCH/STS users can ignore this option as only the audience
## parameter is evaluated for those credential types.
# scopes = ["https://www.googleapis.com/auth/cloud-platform"]

## Audience sent to when retrieving an STS token.
## Currently only used for GDCH auth flow
sts_audience = "https://{AUDIENCE_URL}"
Loading