Use instance service account tokens in cloud init http downloads

[rrs45]

I want to download files from cloud storage in GCP, using service account assigned to the VM instance. Currently, cloud-init doesnt support using bearer tokens with http gets. There is a way to pull access tokens from local metadata server as shown in the link below. Would it be possible to implement it in cloud-init? I could see similar use cases for other major providers.

https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#applications

[francescolavra]

It could be done. A possible way to do it would be to have an optional "auth" attribute in download directives, which when set to something like "access_token" would prompt the cloud_init klib to detect the cloud the instance is running on, and if the detected cloud is GCP, retrieve the access token from the metadata server and then use it in the HTTP download request. But there is a non-trivial amount of work involved.

[rrs45]

This will be very useful feature and opens up lots of possibilities. Service account auth can also be used to pull secrets and certs from a secret store. Any estimate how long it would take? It's worth the wait, thanks!

…

On Thu, Jul 29, 2021, 7:16 AM Francesco Lavra ***@***.***> wrote: It could be done. A possible way to do it would be to have an optional "auth" attribute in download directives, which when set to something like "access_token" would prompt the cloud_init klib to detect the cloud the instance is running on, and if the detected cloud is GCP, retrieve the access token from the metadata server and then use it in the HTTP download request. But there is a non-trivial amount of work involved. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1549 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJI7V3DINNT7TJ4AEK4RCS3T2FPEFANCNFSM5BC5EZUQ> .

[francescolavra]

As of now, this is not a high-priority feature, so I don't have an ETA.