-
Notifications
You must be signed in to change notification settings - Fork 5.8k
Expand file tree
/
Copy pathgooglecloud.go
More file actions
109 lines (91 loc) · 3.13 KB
/
googlecloud.go
File metadata and controls
109 lines (91 loc) · 3.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
//go:generate ../../../tools/readme_config_includer/generator
package googlecloud
import (
"context"
_ "embed"
"errors"
"fmt"
"os"
"cloud.google.com/go/auth"
"cloud.google.com/go/auth/credentials"
"github.com/influxdata/telegraf"
common_gcp "github.com/influxdata/telegraf/plugins/common/gcp"
common_http "github.com/influxdata/telegraf/plugins/common/http"
"github.com/influxdata/telegraf/plugins/common/slog"
"github.com/influxdata/telegraf/plugins/secretstores"
)
//go:embed sample.conf
var sampleConfig string
func (*GoogleCloud) SampleConfig() string {
return sampleConfig
}
type GoogleCloud struct {
STSAudience string `toml:"sts_audience"`
CredentialsFile string `toml:"credentials_file"`
Scopes []string `toml:"credential_scopes"` // used for standard public-GCP service_account keys
Log telegraf.Logger `toml:"-"`
common_http.HTTPClientConfig
credentials *auth.Credentials
}
func (g *GoogleCloud) Init() error {
client, err := g.HTTPClientConfig.CreateClient(context.Background(), g.Log)
if err != nil {
return fmt.Errorf("creating HTTP client failed: %w", err)
}
serviceAccount, err := os.ReadFile(g.CredentialsFile)
if err != nil {
return fmt.Errorf("cannot load the credential file: %w", err)
}
credType, err := common_gcp.ParseCredentialType(g.CredentialsFile)
if err != nil {
return fmt.Errorf("unable to parse credentials file type: %w", err)
}
// Default minimal scope only for standard public-GCP service-account JSON keys.
// GDCH/STS users continue to rely exclusively on sts_audience (Scopes is ignored).
if len(g.Scopes) == 0 && credType == "service_account" {
g.Scopes = []string{"https://www.googleapis.com/auth/monitoring"}
}
saType := credentials.CredType(credType)
creds, err := credentials.NewCredentialsFromJSON(saType, serviceAccount, &credentials.DetectOptions{
Scopes: g.Scopes, // new
STSAudience: g.STSAudience,
Client: client,
Logger: slog.NewLogger(g.Log),
})
if err != nil {
return fmt.Errorf("credentials search failed: %w", err)
}
g.credentials = creds
return nil
}
// Get retrieves the token. The key is ignored as this secret store only provides one secret.
func (g *GoogleCloud) Get(key string) ([]byte, error) {
if key != "token" {
return nil, fmt.Errorf("invalid key %q, only 'token' is supported", key)
}
token, err := g.credentials.Token(context.Background())
if err != nil {
return nil, fmt.Errorf("token retrieval failed: %w", err)
}
return []byte(token.Value), nil
}
// List returns the list of secrets provided by this store.
func (*GoogleCloud) List() ([]string, error) {
return []string{"token"}, nil
}
// Set is not supported for the gcloud secret store.
func (*GoogleCloud) Set(_, _ string) error {
return errors.New("setting secrets is not supported")
}
// GetResolver returns a resolver function for the secret.
func (g *GoogleCloud) GetResolver(key string) (telegraf.ResolveFunc, error) {
return func() ([]byte, bool, error) {
s, err := g.Get(key)
return s, true, err
}, nil
}
func init() {
secretstores.Add("googlecloud", func(string) telegraf.SecretStore {
return &GoogleCloud{}
})
}