Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to impersonate service account to execute tests #318

Open
abharku opened this issue Apr 22, 2021 · 2 comments
Open

Unable to impersonate service account to execute tests #318

abharku opened this issue Apr 22, 2021 · 2 comments

Comments

@abharku
Copy link

abharku commented Apr 22, 2021

we use service-account impersonation to execute everything through our pipelines but I couldn't find a way to do this with chef-inspec

Describe the problem

I have tried following with a containerized inspec:

function inspec { docker run -it -e GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token --impersonate-service-account=sa-name@.iam.gserviceaccount.com) --rm -v $(pwd):/share 6bf4cff907b6 "$@"; }

If I pass the same SA's key file in GOOGLE_APPLICATION_CREDENTIALS it works

I do get the warning when I use first command that SA impersonation will be used but get output like below:

WARNING: This command is using service account impersonation. All API calls will be executed as [sa-name@.iam.gserviceaccount.com].

Profile: GCP InSpec Profile (policy-monitor)
Version: 0.1.0
Target: gcp://default

 No tests executed.

Profile: Google Cloud Platform Resource Pack (inspec-gcp)
Version: 1.8.8
Target: gcp://default

 No tests executed.

Test Summary: 0 successful, 0 failures, 0 skipped

I am trying to execute tests like below which works if have GOOGLE_APPLICATION_CREDENTIALS :

inspec exec . -t gcp:// --input-file=inputs.yml --chef-license=accept-silent --insecure --no-ssl --self-signed

@cleibl
Copy link

cleibl commented Dec 8, 2021

I'm running into the same issue. Were you ever able to solve it? I've tried every which way of env vars, tokens, etc and can still not get it to work.

@amitkumardube
Copy link

amitkumardube commented Dec 16, 2021

I have the same issue. gcp-inspec simply seems to be ignoring this env variable in GitHub workflow.
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: project-service-account@..**.iam.gserviceaccount.com

Any idea about how to use service account impersonation with gcp inspec resources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants