Proper GCP - OIDC termination (#549)

Author: dacbd

environment/setup.sh

@@ -27,8 +27,9 @@ if [ ! -f "$FILE" ]; then
   sudo apt install -y ubuntu-drivers-common
   sudo ubuntu-drivers autoinstall
 
-  sudo curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login
-  sudo chmod 755 /usr/bin/docker-credential-ecr-login
+  get_ecr_helper="curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login"
+  chmod_ecr_help="chmod 755 /usr/bin/docker-credential-ecr-login"
+  sudo systemd-run --same-dir --no-block --service-type=exec bash -c "$get_ecr_help && $chmod_ecr_help"
 
   curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -
   curl -s -L https://nvidia.github.io/nvidia-docker/ubuntu18.04/nvidia-docker.list | sudo tee /etc/apt/sources.list.d/nvidia-docker.list

iterative/gcp/provider.go

@@ -318,8 +318,13 @@ func getProjectService() (string, *gcp_compute.Service, error) {
 	if err != nil {
 		return "", nil, err
 	}
-
-	service, err := gcp_compute.New(oauth2.NewClient(oauth2.NoContext, credentials.TokenSource))
+	var tokenSource oauth2.TokenSource
+	if token, err := reuseToken(); err == nil && token != nil {
+		tokenSource = oauth2.ReuseTokenSource(token, credentials.TokenSource)
+	} else {
+		tokenSource = credentials.TokenSource
+	}
+	service, err := gcp_compute.New(oauth2.NewClient(oauth2.NoContext, tokenSource))
 	if err != nil {
 		return "", nil, err
 	}
@@ -348,9 +353,29 @@ func getProjectService() (string, *gcp_compute.Service, error) {
 		credentials.ProjectID = coercedProjectID
 	}
 
-	os.Setenv("GOOGLE_APPLICATION_CREDENTIALS_DATA", string(credentials.JSON))
 	return credentials.ProjectID, service, nil
 }
+func reuseToken() (*oauth2.Token, error) {
+	var token *oauth2.Token
+	tokenJSON := os.Getenv("CML_GCP_ACCESS_TOKEN")
+	if len(tokenJSON) == 0 {
+		return nil, nil
+	}
+	err := json.Unmarshal([]byte(tokenJSON), &token)
+	return token, err
+}
+
+func ExtractToken(credentials *google.Credentials) ([]byte, error) {
+	token, err := credentials.TokenSource.Token()
+	if err != nil {
+		return nil, err
+	}
+	tokenJSON, err := json.Marshal(token)
+	if err != nil {
+		return nil, err
+	}
+	return tokenJSON, nil
+}
 
 func coerceOIDCCredentials(credentialsJSON []byte) (string, error) {
 	var credentials map[string]interface{}

iterative/resource_runner.go

@@ -333,6 +333,7 @@ export AZURE_TENANT_ID={{escape .AZURE_TENANT_ID}}
 {{- end}}
 {{- if eq .cloud "gcp"}}
 export GOOGLE_APPLICATION_CREDENTIALS_DATA={{escape .GOOGLE_APPLICATION_CREDENTIALS_DATA}}
+export CML_GCP_ACCESS_TOKEN={{escape .CML_GCP_ACCESS_TOKEN}}
 {{- end}}
 {{- if eq .cloud "kubernetes"}}
 export KUBERNETES_CONFIGURATION={{escape .KUBERNETES_CONFIGURATION}}
@@ -433,8 +434,13 @@ func provisionerCode(d *schema.ResourceData) (string, error) {
 	}
 
 	var gcpCredentials string
+	var gcpToken []byte
 	if credentials, err := gcp.LoadGCPCredentials(); err == nil {
 		gcpCredentials = string(credentials.JSON)
+		// reuse token for oidc
+		if credentials.ProjectID == "" {
+			gcpToken, _ = gcp.ExtractToken(credentials)
+		}
 	}
 
 	data := make(map[string]interface{})
@@ -458,6 +464,7 @@ func provisionerCode(d *schema.ResourceData) (string, error) {
 	data["AZURE_SUBSCRIPTION_ID"] = os.Getenv("AZURE_SUBSCRIPTION_ID")
 	data["AZURE_TENANT_ID"] = os.Getenv("AZURE_TENANT_ID")
 	data["GOOGLE_APPLICATION_CREDENTIALS_DATA"] = gcpCredentials
+	data["CML_GCP_ACCESS_TOKEN"] = string(gcpToken)
 	data["KUBERNETES_CONFIGURATION"] = os.Getenv("KUBERNETES_CONFIGURATION")
 	data["container"] = isContainerAvailable(d.Get("cloud").(string))
 	data["setup"] = strings.Replace(environment.SetupScript, "#/bin/sh", "", 1)

iterative/testdata/script_template_cloud_aws.golden

@@ -28,8 +28,9 @@ if [ ! -f "$FILE" ]; then
   sudo apt install -y ubuntu-drivers-common
   sudo ubuntu-drivers autoinstall
 
-  sudo curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login
-  sudo chmod 755 /usr/bin/docker-credential-ecr-login
+  get_ecr_helper="curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login"
+  chmod_ecr_help="chmod 755 /usr/bin/docker-credential-ecr-login"
+  sudo systemd-run --same-dir --no-block --service-type=exec bash -c "$get_ecr_help && $chmod_ecr_help"
 
   curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -
   curl -s -L https://nvidia.github.io/nvidia-docker/ubuntu18.04/nvidia-docker.list | sudo tee /etc/apt/sources.list.d/nvidia-docker.list

iterative/testdata/script_template_cloud_azure.golden

@@ -28,8 +28,9 @@ if [ ! -f "$FILE" ]; then
   sudo apt install -y ubuntu-drivers-common
   sudo ubuntu-drivers autoinstall
 
-  sudo curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login
-  sudo chmod 755 /usr/bin/docker-credential-ecr-login
+  get_ecr_helper="curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login"
+  chmod_ecr_help="chmod 755 /usr/bin/docker-credential-ecr-login"
+  sudo systemd-run --same-dir --no-block --service-type=exec bash -c "$get_ecr_help && $chmod_ecr_help"
 
   curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -
   curl -s -L https://nvidia.github.io/nvidia-docker/ubuntu18.04/nvidia-docker.list | sudo tee /etc/apt/sources.list.d/nvidia-docker.list

iterative/testdata/script_template_cloud_gcp.golden

@@ -28,8 +28,9 @@ if [ ! -f "$FILE" ]; then
   sudo apt install -y ubuntu-drivers-common
   sudo ubuntu-drivers autoinstall
 
-  sudo curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login
-  sudo chmod 755 /usr/bin/docker-credential-ecr-login
+  get_ecr_helper="curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login"
+  chmod_ecr_help="chmod 755 /usr/bin/docker-credential-ecr-login"
+  sudo systemd-run --same-dir --no-block --service-type=exec bash -c "$get_ecr_help && $chmod_ecr_help"
 
   curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -
   curl -s -L https://nvidia.github.io/nvidia-docker/ubuntu18.04/nvidia-docker.list | sudo tee /etc/apt/sources.list.d/nvidia-docker.list
@@ -43,6 +44,7 @@ sudo npm config set user 0 && sudo npm install --global 18 value with "quotes" a
 sudo tee /usr/bin/cml.sh << 'EOF'
 #!/bin/sh
 export GOOGLE_APPLICATION_CREDENTIALS_DATA=''
+export CML_GCP_ACCESS_TOKEN=''
 
 HOME="$(mktemp -d)" exec $(which cml-runner || echo $(which cml-internal || echo cml) runner) \
    --name '10 value with "quotes" and spaces' \

iterative/testdata/script_template_cloud_invalid.golden

@@ -28,8 +28,9 @@ if [ ! -f "$FILE" ]; then
   sudo apt install -y ubuntu-drivers-common
   sudo ubuntu-drivers autoinstall
 
-  sudo curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login
-  sudo chmod 755 /usr/bin/docker-credential-ecr-login
+  get_ecr_helper="curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login --output /usr/bin/docker-credential-ecr-login"
+  chmod_ecr_help="chmod 755 /usr/bin/docker-credential-ecr-login"
+  sudo systemd-run --same-dir --no-block --service-type=exec bash -c "$get_ecr_help && $chmod_ecr_help"
 
   curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -
   curl -s -L https://nvidia.github.io/nvidia-docker/ubuntu18.04/nvidia-docker.list | sudo tee /etc/apt/sources.list.d/nvidia-docker.list