-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Google connector with ADC: unexpected end of JSON input #2676
Comments
I think I might have isolated the issue with the code (upon further testing in a GKE cluster) and its with this line: https://github.com/dexidp/dex/blob/master/connector/google/google.go#L300 The default behavior for the google.FindDefaultCredentials function is the following:
|
Thank you for investigating this. Yeah, I also suspect it's because of |
Is this a breaking change? From the code change in #2530 it seems that
was removed and so now as an admin I have to configure additional stuff for the google connector to work? Due to the security issue fixed in 2.34 we just tried to bump our Dex installations from 2.32 to 2.35.1 and things suddenly crashlooped. So far our configuration was rather simple: - type: google
id: google
name: Google
config:
issuer: https://accounts.google.com
clientID: yadda.yadda.yadda.apps.googleusercontent.com
clientSecret: thisIsNotARealSecret
redirectURI: https://initech.example.com/dex/callback
hostedDomains:
- initech.com
- initroid.com Our Dex pods run in Kubernetes on GKE nodes. |
@xrstf it does seem to be yet another regression with the Google connector. Annoying... There is a new patch version coming up upgrading Go to the latest patch version. I believe I can patch this one as well: #2699 As for the original issue: we need a better understanding of how the admin service works. Previous assumption was that an admin user has to be impersonated in order to use it. We need to verify that assumption/find out how authorization works with the admin service. As a quick fix though, we could disable impersonation if JSON is empty for a default credential. Edit: @xrstf in your case the groups scope is not configured as far as I can tell, so the fix I'm about to submit should fix your case. As soon as the groups scope is added to the list, you will have to change your configuration. |
See #2700 |
Also #2122 could solve this problem as well. |
Please comment on #2701 |
FYI, deploying 2.35.1, we saw an error:
|
Thanks for reporting. I believe the solution to that is going to be refactoring the code based on #2122 |
Hiya @sagikazarmark 👋 I'm not too sure which issue / PR to comment on, but we're also hitting problems with Workload Identity / ADC in GKE. We're running ArgoCD, deployed with the Helm chart and using the bundled dex deployment. We followed these instructions to get group membership. We don't see any errors/warnings in the logs on startup (with or without adminEmail), but we don't see group membership in the ArgoCD UI. It looks like some commits went into master since the latest release which are related to this. Do you know when the next release is planned for? |
@milesarmstrong we are still trying to determine the correct solution for the problem. Chances are the latest release does NOT work with workload identity. The current workaround is manually passing an IAM service account to the Dex workload. It should work with the latest release. I know it's not ideal, but that's the currently available workaround. Although we wanted to fix the problem in the next release (which is due this week), it may not just be part of it. |
Pitching in here that we managed to get dex running with groups on Anthos Bare Metal (no metadata server) with workload identity using these changes. The issue is that {
"type": "external_account",
"audience": "identitynamespace:WORKLOAD_IDENTITY_POOL:IDENTITY_PROVIDER",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/GSA_NAME@GSA_PROJECT_ID.iam.gserviceaccount.com:generateAccessToken",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/var/run/secrets/tokens/gcp-ksa/token"
}
}
See the docs for reference. |
It is as follows according to the Google Oauth2 document. https://pkg.go.dev/golang.org/x/oauth2/google#Credentials
I tried with using GKE Workload Identity function to authentication from Google Workspace. But it could not success. I think google oauth2 does not support Google Kubernetes Engine environment. |
I have also verified the changes made by @torfjor work flawlessly when running Dex on GKE using Workload Identity to retrieve Google groups. In my case the Dex server is running as auth for ArgoCD. I attached a Workload Identity GSA to the Dex server that has the Groups Reader Admin role as outlined by https://support.google.com/a/answer/9807615?hl=en#zippy=%2Cassign-a-role-to-a-service-account. |
I've been trying to understand the issue and why it's not working, and I've come to the following conclusions (I might be wrong, but this is my current understanding):
Based on the limitations, it seems that it's fundamentally not possible to achieve impersonation using GKE Workload Identity in this scenario. |
It is possible to achieve what you want by constructing your desired JWT and passing it to the IAM Service Account Credentials API (see the signJwt method). Nowadays you can grant service accounts workspace admin roles without domain wide delegation. That's probably a more comfortable route. |
@torfjor, thank you for your suggestion. I tested it, and can confirm that it indeed works. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/sign-jwt |
I have submitted a pull request addressing the mentioned issue: #2989. It would be greatly appreciated if someone could test it. |
Preflight Checklist
Version
ghcr.io/dexidp/dex:v2.34.0
Storage Type
Kubernetes
Installation Type
Other (specify below)
Expected Behavior
google connector successfully use Application Default Credential via Compute Engine metadata server
Actual Behavior
failed to initialize server: server: Failed to open connector google: failed to open connector: failed to create connector google: could not create directory service: unable to parse credentials to config: unexpected end of JSON input
Steps To Reproduce
serviceAccountFilePath
Additional Information
I installed dex via ArgoCD's
install.yaml
, and replaced its version from v2.30.2 to v2.34.0.My setup worked OK before, with a key file in serviceAccountFilePath.
I tried running the following code on the same GKE pod by
kubectl exec
, and it went all good.The above code works OK with following output, which is something I expected.
The code does basically the same as dex v2.34.0, so I am not sure why it doesn't work in dex.
cc @ichbinfrog
Configuration
Logs
The text was updated successfully, but these errors were encountered: