Skip to content

Instantly share code, notes, and snippets.

View wvanderdeijl's full-sized avatar

Wilfred van der Deijl wvanderdeijl

23 followers · 4 following
View GitHub Profile
@wvanderdeijl
wvanderdeijl / pulumi-aws-with-gcp-service-account.ts
Last active February 9, 2024 13:42
@pulumi/aws with assumeRoleWithWebIdentity using a google service account
import * as aws from '@pulumi/aws';
import { all, output, secret } from '@pulumi/pulumi';
const serviceAccount = output('my-service-account@my-project.iam.gserviceaccount.com');
const audience = output('*****');
const awsRoleArn = output('arn:aws:iam::999999999999:role/pulumi-aws-federation');
const token = secret(
all([serviceAccount, audience]).apply(async ([serviceAccount, audience]) => {
const client = await auth.getClient();
@wvanderdeijl
wvanderdeijl / client-authentication.md
Last active June 9, 2022 09:56
OAuth Client Authentication using Google Service Account

Some identity providers support OAuth client authentication using the private_key_jwt authentication method. This means you invoke the oauth token endpoint with a JWT that is signed using a private key and a client_assertion_type set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer. They identity provider than validates the token using the public key and issues an access token.

In the setup at the identity provider you have to create an OAuth client, set it up to use private_key_jwt as the authentication method and supply a URL to the JWKS (JSON Web Key Set) that contain the public key(s). This makes this flow very easy to implement with a Google service account since Google publicly hosts the JWKS for each service account at https://www.googleapis.com/service_accounts/v1/jwk/SERVICE_ACCOUNT_EMAIL. Having the identity provider fetch the JWKS from a public endpoint adds security as it allows for frequent service account key rotation at the side of Google without the need to reconfiger the i

@wvanderdeijl
wvanderdeijl / validate.ts
Last active August 8, 2022 11:20
Werkgeversnummer valideren met typescript
/**
* Damm algorithm is a check digit algorithm that detects all single-digit errors and all adjacent transposition errors
* https://en.wikipedia.org/wiki/Damm_algorithm
*
* Live typescript playground at: https://www.typescriptlang.org/play?ssl=33&ssc=1&pln=1&pc=1#code/PQKhCgAIUgRBDAtoy8A2BzA9gJwJYAuAFingM6qQDGRAplQNaQAmeGhqmuhJkx8BFrQL0CFdGkhk8AOwxpaAWlbtBtHDlziZzTpPjMAVvCq0ZggjngyyAByzSCeLDMjrNOMlBhECBW2QAXMDAZgB0AO54DHi2tKzwYbgYwFExwAjIAPro2PjEiN7A4FQuZIJYcVZOLgAq8ABGCpAAvJAA2lCQ3e0ADAA0kADMgwCMgwDsgwCsgwCcgwAcgwBsgwAsgwBMALr9XT1TkAOQC5BbYzMbS6uDQ3sHHZvngydrkMuQR+PDV6cP3R6PyOs2O8xuv0gzwukBWAMB7XePxhIzBUL+ZyOi3hPVR7yO0Ne4MgoM+oxxHVJt1Ok22RMgP1R6wp7U+Z2eoLxdLRwJZ7LuEKRtJeaOmLJhVIZ10h+OJvQeOwA3OBwKAINBIAA1dB4ZgCWiUdgANzMkBkAFdEA11JBzdI5JBCAByCiwACCAFkPdQ6IwWGxCGFvJAAAI4YTmnA2Pg4c0GvAAMzNlutOEdFCNOuYgwT6DIBqwxHUUXzQegxQT5pkVBqrhN+ATAE9MogAMK+hiwAMEAAUsls5oIgSkllkGAAlJAAN6PcMESOuHuPQGQYAAPQAOswp0MAL4bsJbnf7w-b0a7gAkwDCInKfZkA4Ik4AZM-l4D+4P3yvumFw7Y0BMWge2AA9gAwQYnSdcdvx-MI7DQQgeygmCfzQyA-3ic1TB7HtNAiQYVEIS
@wvanderdeijl
wvanderdeijl / FEDERATION.md
Last active June 2, 2022 13:59

List of gists with federation examples

In a multi-cloud environment it is wise to use federated identities between different cloud environments. This removes the need to issue, manage, and rotate secrets. With federated identities a party running on (for example) Google Cloud can use the identity they already have within Google Cloud (attached to their VM or Cloud Function) to assume a federated AWS identity and then use that AWS identity to invoke API's from the other party. This could not only be custom API's (like API gateway), but since you fully impersonate an AWS identity (aka AWS Role) they could also invoke AWS own API's like S3.

Over time I've collected numerous samples of federation between different cloud providers. This is list of all of them:

@wvanderdeijl
wvanderdeijl / federation.md
Last active January 25, 2022 07:59
Auth0 client credentials flow federation to Google Cloud Service Account

Auth0 client credentials flow federation to Google Cloud Service Account

Preparation

Configure OIDC based Workload Identity Federation at Google Cloud (see https://cloud.google.com/iam/docs/configuring-workload-identity-federation). When configuring the identity provider use the following information:

  • Set the issuerURI to https://[TENANT].eu.auth0.com/, so google can retrieve the https://my-tenant.eu.auth0.com/.well-known/openid-configuration configuration file with the public key information
  • Set the attributeCondition to assertion.gty=='client-credentials' && assertion.azp=='[CLIENT-ID]' However, at this stage
@wvanderdeijl
wvanderdeijl / setup.md
Last active August 30, 2023 14:44
Google Cloud Service Account to Azure Federation

Google Cloud Service Account to Azure Federation

  • Create an azure app that we will use for federation 
    az ad app create --display-name my-sample-app \
    --oauth2-allow-implicit-flow false
  • Note the objectId of the created app 
    OBJECT_ID=32f3c6d0-f8a0-42c2-8ae3-962d79e4cb14
@wvanderdeijl
wvanderdeijl / federation.md
Last active January 12, 2024 16:32
Google Cloud service account to AWS Role federation

Google Cloud service account to AWS Role federation

inspired by https://github.com/shrikant0013/gcp-aws-webidentityfederation

  1. create an AWS Role configured for Web Identity federation using Cognito or any OpenID provider
  2. select Google as the Identity provider in the wizard
  3. set the audience to a dummy value and do not add any additional conditions in the setup wizard. We will edit the trust policy after completing the wizard.
  4. assign any permissions needed to the role
  5. read up on "Available keys for AWS web identity federation" at
@wvanderdeijl
wvanderdeijl / gcp-key-wrapping.md
Last active June 10, 2021 08:49
Google key wrapping

Task 1. Creating the encryption key

Important: When using customer-supplied encryption keys, it is up to you to generate and manage your encryption keys. You must provide Compute Engine a key that is a 256-bit string encoded in RFC 4648 standard base64. For this lab, you will just generate a key with a random number.

  1. On the Google Cloud Platform menu, click Activate Cloud Shell to open Cloud Shell. If prompted, click Continue.
  2. Enter the following single command in Cloud Shell to create a 256 bit (32 byte) random number to use as a key:
openssl rand 32 > mykey.txt
  1. View the mykey.txt to verify the key was created:
@wvanderdeijl
wvanderdeijl / aws-raw.ts
Created May 31, 2021 20:08
Showcasing Google Cloud Workload Identity Federation from AWS using raw http requests
import { Sha256 } from '@aws-crypto/sha256-universal'; // or @aws-crypto/sha256-js
import { AssumeRoleCommand, STSClient } from '@aws-sdk/client-sts';
import { SignatureV4 } from '@aws-sdk/signature-v4';
import axios from 'axios';
const AWS_REGION = 'eu-west-1';
const AWS_ROLE_ARN = 'arn:aws:iam::999999999999:role/my-federated-role';
const GCP_IDENTITY_PROVIDER = '//iam.googleapis.com/projects/PROJECTNR/locations/global/workloadIdentityPools/POOL-ID/providers/PROVIDER-ID';
const GCP_SERVICE_ACCOUNT = 'ID@PROJECT.iam.gserviceaccount.com';
@wvanderdeijl
wvanderdeijl / aws-client.ts
Created May 31, 2021 20:05
Showcasing Google Cloud Workload Identity Federation from AWS using google-auth-library and nodejs client libraries
import { AssumeRoleCommand, STSClient } from '@aws-sdk/client-sts';
import { Resource } from '@google-cloud/resource-manager';
import { GoogleAuth, GoogleAuthOptions } from 'google-auth-library';
const AWS_REGION = 'eu-west-1';
const AWS_ROLE_ARN = 'arn:aws:iam::999999999999:role/my-federated-role';
const GCP_PROJECT_ID = 'my-google-project';
const GCP_IDENTITY_PROVIDER = '//iam.googleapis.com/projects/PROJECTNUMBER/locations/global/workloadIdentityPools/POOL-ID/providers/PROVIDER-ID';
const GCP_SERVICE_ACCOUNT = 'ID@PROJECT.iam.gserviceaccount.com';