From dc412746293bc4354ddcbd72c6c139f1165959ce Mon Sep 17 00:00:00 2001 From: Mario Weigel Date: Mon, 7 Jul 2025 13:02:50 +1200 Subject: [PATCH] Expose GCP secrets key IDs Signed-off-by: Mario Weigel --- secrets/gcp/path_config.go | 24 +++++++++++++------ secrets/gcp/path_config_test.go | 1 + secrets/gcp/path_role_set.go | 9 ++++++- secrets/gcp/path_static_account.go | 2 ++ secrets/gcp/path_static_account_rotate_key.go | 8 ++++++- 5 files changed, 35 insertions(+), 9 deletions(-) diff --git a/secrets/gcp/path_config.go b/secrets/gcp/path_config.go index f66bff1fc..19cf772f1 100644 --- a/secrets/gcp/path_config.go +++ b/secrets/gcp/path_config.go @@ -72,15 +72,25 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, data return nil, nil } - configData := map[string]interface{}{ - "ttl": int64(cfg.TTL / time.Second), - "max_ttl": int64(cfg.MaxTTL / time.Second), - "service_account_email": cfg.ServiceAccountEmail, + resp := &logical.Response{ + Data: map[string]interface{}{ + "ttl": int64(cfg.TTL / time.Second), + "max_ttl": int64(cfg.MaxTTL / time.Second), + "service_account_email": cfg.ServiceAccountEmail, + "private_key_id": "", + }, + } + + creds, err := gcputil.Credentials(cfg.CredentialsRaw) + if err != nil { + resp.Warnings = []string{ + fmt.Sprintf("Failed to parse key private key ID: %v", err), + } + } else { + resp.Data["private_key_id"] = creds.PrivateKeyId } - return &logical.Response{ - Data: configData, - }, nil + return resp, nil } func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { diff --git a/secrets/gcp/path_config_test.go b/secrets/gcp/path_config_test.go index 97d9f9296..7ec3b4bf4 100644 --- a/secrets/gcp/path_config_test.go +++ b/secrets/gcp/path_config_test.go @@ -32,6 +32,7 @@ func TestConfig(t *testing.T) { "ttl": int64(0), "max_ttl": int64(0), "service_account_email": "", + "private_key_id": "privateKey123", } testConfigRead(t, b, reqStorage, expected) diff --git a/secrets/gcp/path_role_set.go b/secrets/gcp/path_role_set.go index 58ffdf502..3d9488618 100644 --- a/secrets/gcp/path_role_set.go +++ b/secrets/gcp/path_role_set.go @@ -6,6 +6,7 @@ package gcp import ( "context" "fmt" + "path" "github.com/hashicorp/errwrap" "github.com/openbao/openbao-plugins/secrets/gcp/util" @@ -179,6 +180,7 @@ func (b *backend) pathRoleSetRead(ctx context.Context, req *logical.Request, d * if rs.TokenGen != nil && rs.SecretType == SecretTypeAccessToken { data["token_scopes"] = rs.TokenGen.Scopes + data["private_key_id"] = path.Base(rs.TokenGen.KeyName) } return &logical.Response{ @@ -419,7 +421,12 @@ func (b *backend) pathRoleSetRotateKey(ctx context.Context, req *logical.Request if warn != "" { return &logical.Response{Warnings: []string{warn}}, nil } - return nil, nil + + return &logical.Response{ + Data: map[string]interface{}{ + "private_key_id": path.Base(rs.TokenGen.KeyName), + }, + }, nil } func getRoleSet(name string, ctx context.Context, s logical.Storage) (*RoleSet, error) { diff --git a/secrets/gcp/path_static_account.go b/secrets/gcp/path_static_account.go index b43b94124..49bc76365 100644 --- a/secrets/gcp/path_static_account.go +++ b/secrets/gcp/path_static_account.go @@ -7,6 +7,7 @@ import ( "context" "errors" "fmt" + "path" "github.com/hashicorp/errwrap" "github.com/openbao/openbao/sdk/v2/framework" @@ -131,6 +132,7 @@ func (b *backend) pathStaticAccountRead(ctx context.Context, req *logical.Reques } if acct.TokenGen != nil && acct.SecretType == SecretTypeAccessToken { data["token_scopes"] = acct.TokenGen.Scopes + data["private_key_id"] = path.Base(acct.TokenGen.KeyName) } return &logical.Response{ diff --git a/secrets/gcp/path_static_account_rotate_key.go b/secrets/gcp/path_static_account_rotate_key.go index 8033aacdf..033768ab6 100644 --- a/secrets/gcp/path_static_account_rotate_key.go +++ b/secrets/gcp/path_static_account_rotate_key.go @@ -6,6 +6,7 @@ package gcp import ( "context" "fmt" + "path" "github.com/openbao/openbao/sdk/v2/framework" "github.com/openbao/openbao/sdk/v2/logical" @@ -108,7 +109,12 @@ func (b *backend) pathStaticAccountRotateKey(ctx context.Context, req *logical.R } b.tryDeleteWALs(ctx, req.Storage, oldWalId) } - return nil, nil + + return &logical.Response{ + Data: map[string]interface{}{ + "private_key_id": path.Base(acct.TokenGen.KeyName), + }, + }, nil } const pathStaticAccountRotateKeyHelpSyn = `Rotate the key used to generate access tokens for a static account`