gcloud: add service account impersonation (#2544)

Co-authored-by: Fernandez Ludovic <[email protected]>

Author: git-johnson

cmd/zz_gen_cmd_dnshelp.go

@@ -914,6 +914,8 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 h1:rgMkmiGfix9vFJDcDi1PK8WEQP4FLQwLDfhp5ZLpFeE=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0/go.mod h1:ijPqXp5P6IRRByFVVg9DY8P5HkxkHE5ARIa+86aXPf4=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I=
 go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=

docs/content/dns/zz_gen_gcloud.md

@@ -5,9 +5,29 @@ Code = "gcloud"
 Since = "v0.3.0"
 
 Example = '''
+# Using a service account file
 GCE_PROJECT="gc-project-id" \
 GCE_SERVICE_ACCOUNT_FILE="/path/to/svc/account/file.json" \
-lego --email [email protected] --dns gcloud -d '*.example.com' -d example.com run
+lego --email [email protected] --dns gcloud -d '*.example.com' -d example.com run
+
+# Using default credentials with impersonation
+GCE_PROJECT="gc-project-id" \
+GCE_IMPERSONATE_SERVICE_ACCOUNT="[email protected]" \
+lego --email [email protected] --dns gcloud -d '*.example.com' -d example.com run
+
+# Using service account key with impersonation
+GCE_PROJECT="gc-project-id" \
+GCE_SERVICE_ACCOUNT_FILE="/path/to/svc/account/file.json" \
+GCE_IMPERSONATE_SERVICE_ACCOUNT="[email protected]" \
+lego --email [email protected] --dns gcloud -d '*.example.com' -d example.com run
+'''
+
+Additional = '''
+Supports service account impersonation to access Google Cloud DNS resources across different projects or with restricted permissions.
+
+When using impersonation, the source service account must have:
+1. The "Service Account Token Creator" role on the source service account
+2. The "https://www.googleapis.com/auth/cloud-platform" scope
 '''
 
 [Configuration]
@@ -19,6 +39,7 @@ lego --email [email protected] --dns gcloud -d '*.example.com' -d example.com run
   [Configuration.Additional]
     GCE_ALLOW_PRIVATE_ZONE = "Allows requested domain to be in private DNS zone, works only with a private ACME server (by default: false)"
     GCE_ZONE_ID = "Allows to skip the automatic detection of the zone"
+    GCE_IMPERSONATE_SERVICE_ACCOUNT = "Service account email to impersonate"
     GCE_POLLING_INTERVAL = "Time between DNS propagation check in seconds (Default: 5)"
     GCE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation in seconds (Default: 180)"
     GCE_TTL = "The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)"

go.sum

@@ -17,21 +17,24 @@ import (
 	"github.com/go-acme/lego/v4/platform/config/env"
 	"github.com/go-acme/lego/v4/platform/wait"
 	"golang.org/x/net/context"
+	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/dns/v1"
 	"google.golang.org/api/googleapi"
+	"google.golang.org/api/impersonate"
 	"google.golang.org/api/option"
 )
 
 // Environment variables names.
 const (
 	envNamespace = "GCE_"
 
-	EnvServiceAccount   = envNamespace + "SERVICE_ACCOUNT"
-	EnvProject          = envNamespace + "PROJECT"
-	EnvZoneID           = envNamespace + "ZONE_ID"
-	EnvAllowPrivateZone = envNamespace + "ALLOW_PRIVATE_ZONE"
-	EnvDebug            = envNamespace + "DEBUG"
+	EnvServiceAccount            = envNamespace + "SERVICE_ACCOUNT"
+	EnvProject                   = envNamespace + "PROJECT"
+	EnvZoneID                    = envNamespace + "ZONE_ID"
+	EnvAllowPrivateZone          = envNamespace + "ALLOW_PRIVATE_ZONE"
+	EnvDebug                     = envNamespace + "DEBUG"
+	EnvImpersonateServiceAccount = envNamespace + "IMPERSONATE_SERVICE_ACCOUNT"
 
 	EnvTTL                = envNamespace + "TTL"
 	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
@@ -44,25 +47,27 @@ var _ challenge.ProviderTimeout = (*DNSProvider)(nil)
 
 // Config is used to configure the creation of the DNSProvider.
 type Config struct {
-	Debug              bool
-	Project            string
-	ZoneID             string
-	AllowPrivateZone   bool
-	PropagationTimeout time.Duration
-	PollingInterval    time.Duration
-	TTL                int
-	HTTPClient         *http.Client
+	Debug                     bool
+	Project                   string
+	ZoneID                    string
+	AllowPrivateZone          bool
+	ImpersonateServiceAccount string
+	PropagationTimeout        time.Duration
+	PollingInterval           time.Duration
+	TTL                       int
+	HTTPClient                *http.Client
 }
 
 // NewDefaultConfig returns a default configuration for the DNSProvider.
 func NewDefaultConfig() *Config {
 	return &Config{
-		Debug:              env.GetOrDefaultBool(EnvDebug, false),
-		ZoneID:             env.GetOrDefaultString(EnvZoneID, ""),
-		AllowPrivateZone:   env.GetOrDefaultBool(EnvAllowPrivateZone, false),
-		TTL:                env.GetOrDefaultInt(EnvTTL, dns01.DefaultTTL),
-		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 180*time.Second),
-		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, 5*time.Second),
+		Debug:                     env.GetOrDefaultBool(EnvDebug, false),
+		ZoneID:                    env.GetOrDefaultString(EnvZoneID, ""),
+		AllowPrivateZone:          env.GetOrDefaultBool(EnvAllowPrivateZone, false),
+		ImpersonateServiceAccount: env.GetOrDefaultString(EnvImpersonateServiceAccount, ""),
+		TTL:                       env.GetOrDefaultInt(EnvTTL, dns01.DefaultTTL),
+		PropagationTimeout:        env.GetOrDefaultSecond(EnvPropagationTimeout, 180*time.Second),
+		PollingInterval:           env.GetOrDefaultSecond(EnvPollingInterval, 5*time.Second),
 	}
 }
 
@@ -95,14 +100,14 @@ func NewDNSProviderCredentials(project string) (*DNSProvider, error) {
 		return nil, errors.New("googlecloud: project name missing")
 	}
 
-	client, err := google.DefaultClient(context.Background(), dns.NdevClouddnsReadwriteScope)
-	if err != nil {
-		return nil, fmt.Errorf("googlecloud: unable to get Google Cloud client: %w", err)
-	}
-
 	config := NewDefaultConfig()
 	config.Project = project
-	config.HTTPClient = client
+
+	var err error
+	config.HTTPClient, err = newClientFromCredentials(context.Background(), config)
+	if err != nil {
+		return nil, fmt.Errorf("googlecloud: %w", err)
+	}
 
 	return NewDNSProviderConfig(config)
 }
@@ -129,15 +134,14 @@ func NewDNSProviderServiceAccountKey(saKey []byte) (*DNSProvider, error) {
 		project = datJSON.ProjectID
 	}
 
-	conf, err := google.JWTConfigFromJSON(saKey, dns.NdevClouddnsReadwriteScope)
-	if err != nil {
-		return nil, fmt.Errorf("googlecloud: unable to acquire config: %w", err)
-	}
-	client := conf.Client(context.Background())
-
 	config := NewDefaultConfig()
 	config.Project = project
-	config.HTTPClient = client
+
+	var err error
+	config.HTTPClient, err = newClientFromServiceAccountKey(context.Background(), config, saKey)
+	if err != nil {
+		return nil, fmt.Errorf("googlecloud: %w", err)
+	}
 
 	return NewDNSProviderConfig(config)
 }
@@ -384,6 +388,54 @@ func (d *DNSProvider) findTxtRecords(zone, fqdn string) ([]*dns.ResourceRecordSe
 	return recs.Rrsets, nil
 }
 
+func newClientFromCredentials(ctx context.Context, config *Config) (*http.Client, error) {
+	if config.ImpersonateServiceAccount != "" {
+		ts, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
+		if err != nil {
+			return nil, fmt.Errorf("unable to get default token source: %w", err)
+		}
+
+		return newImpersonateClient(ctx, config.ImpersonateServiceAccount, ts)
+	}
+
+	client, err := google.DefaultClient(ctx, dns.NdevClouddnsReadwriteScope)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get Google Cloud client: %w", err)
+	}
+
+	return client, nil
+}
+
+func newClientFromServiceAccountKey(ctx context.Context, config *Config, saKey []byte) (*http.Client, error) {
+	if config.ImpersonateServiceAccount != "" {
+		conf, err := google.JWTConfigFromJSON(saKey, "https://www.googleapis.com/auth/cloud-platform")
+		if err != nil {
+			return nil, fmt.Errorf("unable to acquire config: %w", err)
+		}
+
+		return newImpersonateClient(ctx, config.ImpersonateServiceAccount, conf.TokenSource(ctx))
+	}
+
+	conf, err := google.JWTConfigFromJSON(saKey, dns.NdevClouddnsReadwriteScope)
+	if err != nil {
+		return nil, fmt.Errorf("unable to acquire config: %w", err)
+	}
+
+	return conf.Client(ctx), nil
+}
+
+func newImpersonateClient(ctx context.Context, impersonateServiceAccount string, ts oauth2.TokenSource) (*http.Client, error) {
+	impersonatedTS, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
+		TargetPrincipal: impersonateServiceAccount,
+		Scopes:          []string{dns.NdevClouddnsReadwriteScope},
+	}, option.WithTokenSource(ts))
+	if err != nil {
+		return nil, fmt.Errorf("unable to create impersonated credentials: %w", err)
+	}
+
+	return oauth2.NewClient(ctx, impersonatedTS), nil
+}
+
 func mustUnquote(raw string) string {
 	clean, err := strconv.Unquote(raw)
 	if err != nil {

providers/dns/gcloud/gcloud.toml

@@ -30,7 +30,8 @@ var envTest = tester.NewEnvTest(
 	envServiceAccountFile,
 	envGoogleApplicationCredentials,
 	envMetadataHost,
-	EnvServiceAccount).
+	EnvServiceAccount,
+	EnvImpersonateServiceAccount).
 	WithDomain(envDomain).
 	WithLiveTestExtra(func() bool {
 		_, err := google.DefaultClient(context.Background(), dns.NdevClouddnsReadwriteScope)