elastic / cloudbeat / 20813859395

76%

Build Type

push

github

Committed by web-flow

Commit Message

Authenticate with remote GCP ServiceAccount for Cloud Connectors (#3818)

### Background
Adds Cloud Connectors support for GCP using OIDC-based authentication
with Workload Identity Federation. This enables cloudbeat to
authenticate to GCP using JWT tokens from Elastic's OIDC provider.

Added `FindCloudConnectorsCredentials()` method for OIDC + WIF
authentication.
Uses GCP's `externalaccount.CredentialSource` for JWT file reading.
Uses `ServiceAccountImpersonationURL` for service account impersonation.

Upgraded `google.golang.org/api` from v0.256.0 to v0.258.0. This upgrade
includes migrating to the new credentials API:
```
option.WithCredentialsFile() → option.WithAuthCredentialsFile(option.ServiceAccount, ...)
option.WithCredentialsJSON() → option.WithAuthCredentialsJSON(option.ServiceAccount, ...)
```

### Testing
Created the Service Account and Workload Identity Pool
<img width="434" height="520" alt="image"
src="https://github.com/user-attachments/assets/647f5b7b-dea0-4614-ba16-e57e0489449c"
/>

Tested `cloudbeat/cis_gcp` with
```
      gcp:
        project_id: "elastic-security-test"
        account_type: "single-account"
        credentials:
          service_account_email: "cloudbeat-cspm-sa-a2293e07@elastic-security-test.iam.gserviceaccount.com"
          audience: "//iam.googleapis.com/projects/439975565995/locations/global/workloadIdentityPools/cloudbeat-pool-a2293e07/providers/cloudbeat-oidc-provider-a2293e07"
```
Provided the JWT with env var `CLOUD_CONNECTORS_ID_TOKEN_FILE`
<img width="598" height="245" alt="image"
src="https://github.com/user-attachments/assets/13cff761-a98c-46d3-b691-18dca4b440fe"
/>

---------

Co-authored-by: Oleg Sucharevich <oleg2807@gmail.com>

Run Details

14 of 36 new or added lines in 2 files covered. (38.89%)

2 existing lines in 1 file now uncovered.

9653 of 12691 relevant lines covered (76.06%)

16.36 hits per line