Skip to content

Add CredentialsProvider for system service account (SSA) in C++ SDK #14861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 21, 2025
Merged

Add CredentialsProvider for system service account (SSA) in C++ SDK #14861

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5b64adf
Added CredentialsProvider for system service account (SSA) in C++ SDK
Gazizonoki Feb 20, 2025
ef63073
Fixed iam build
Gazizonoki Feb 20, 2025
62be7f9
Added common types component for iam_private
Gazizonoki Feb 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions ydb/public/api/client/yc_private/iam/iam_token_service.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ service IamTokenService {
// create iam token for service account
rpc CreateForServiceAccount (CreateIamTokenForServiceAccountRequest) returns (CreateIamTokenResponse);

// create iam token for service
rpc CreateForService (CreateIamTokenForServiceRequest) returns (CreateIamTokenResponse);

// create iam token for compute instance
rpc CreateForComputeInstance (CreateIamTokenForComputeInstanceRequest) returns (CreateIamTokenResponse);

Expand Down Expand Up @@ -50,6 +53,14 @@ message CreateIamTokenForServiceAccountRequest {
string service_account_id = 1;
}

message CreateIamTokenForServiceRequest {
string service_id = 1;
string microservice_id = 2;
string resource_id = 3;
string resource_type = 4;
string target_service_account_id = 5;
}

message CreateIamTokenForComputeInstanceRequest {
string service_account_id = 1;
string instance_id = 2;
Expand Down
15 changes: 15 additions & 0 deletions ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#pragma once

#include <ydb-cpp-sdk/client/iam/common/types.h>

namespace NYdb::inline V3 {

struct TIamServiceParams : TIamEndpoint {
std::string ServiceId;
std::string MicroserviceId;
std::string ResourceId;
std::string ResourceType;
std::string TargetServiceAccountId;
};

}
13 changes: 13 additions & 0 deletions ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
LIBRARY(client-iam-private-common-include)

INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc)

SRCS(
types.h
)

PEERDIR(
ydb/public/sdk/cpp/src/client/iam/common
)

END()
5 changes: 5 additions & 0 deletions ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
#pragma once

#include "common/types.h"

#include <ydb-cpp-sdk/client/iam/common/types.h>

namespace NYdb::inline V3 {
Expand All @@ -10,4 +12,7 @@ TCredentialsProviderFactoryPtr CreateIamJwtFileCredentialsProviderFactoryPrivate
/// Acquire an IAM token using JSON Web Token (JWT) contents.
TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPrivate(const TIamJwtContent& param);

/// Acquire an IAM token for system service account (SSA).
TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params);

} // namespace NYdb
21 changes: 14 additions & 7 deletions ydb/public/sdk/cpp/src/client/iam/common/iam.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,19 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
protected:
using TRequestFiller = std::function<void(TRequest&)>;

using TSimpleRpc =
typename NYdbGrpc::TSimpleRequestProcessor<
typename TService::Stub,
TRequest,
TResponse>::TAsyncRequest;

private:
class TImpl : public std::enable_shared_from_this<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>::TImpl> {
public:
TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller)
TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc)
: Client(std::make_unique<NYdbGrpc::TGRpcClientLow>())
, Connection_(nullptr)
, Rpc_(rpc)
, Ticket_("")
, NextTicketUpdate_(TInstant::Zero())
, IamEndpoint_(iamEndpoint)
Expand Down Expand Up @@ -67,7 +74,7 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
Connection_->template DoRequest<TRequest, TResponse>(
std::move(req),
std::move(cb),
&TService::Stub::AsyncCreate,
Rpc_,
{ {}, {}, IamEndpoint_.RequestTimeout }
);

Expand Down Expand Up @@ -142,9 +149,9 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
}

private:

std::unique_ptr<NYdbGrpc::TGRpcClientLow> Client;
std::unique_ptr<NYdbGrpc::TServiceConnection<TService>> Connection_;
TSimpleRpc Rpc_;
std::string Ticket_;
TInstant NextTicketUpdate_;
const TIamEndpoint IamEndpoint_;
Expand All @@ -157,8 +164,8 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
};

public:
TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller)
: Impl_(std::make_shared<TImpl>(endpoint, requestFiller))
TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc)
: Impl_(std::make_shared<TImpl>(endpoint, requestFiller, rpc))
{
Impl_->UpdateTicket(true);
}
Expand Down Expand Up @@ -186,7 +193,7 @@ class TIamJwtCredentialsProvider : public TGrpcIamCredentialsProvider<TRequest,
: TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params,
[jwtParams = params.JwtParams](TRequest& req) {
req.set_jwt(MakeSignedJwt(jwtParams));
}) {}
}, &TService::Stub::AsyncCreate) {}
};

template<typename TRequest, typename TResponse, typename TService>
Expand All @@ -196,7 +203,7 @@ class TIamOAuthCredentialsProvider : public TGrpcIamCredentialsProvider<TRequest
: TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params,
[token = params.OAuthToken](TRequest& req) {
req.set_yandex_passport_oauth_token(TStringType{token});
}) {}
}, &TService::Stub::AsyncCreate) {}
};

template<typename TRequest, typename TResponse, typename TService>
Expand Down
28 changes: 28 additions & 0 deletions ydb/public/sdk/cpp/src/client/iam_private/common/iam.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#include <ydb-cpp-sdk/client/iam_private/common/types.h>

#include <src/client/iam/common/iam.h>

namespace NYdb::inline V3 {

template<typename TRequest, typename TResponse, typename TService>

class TIamServiceCredentialsProviderFactory : public ICredentialsProviderFactory {
public:
TIamServiceCredentialsProviderFactory(const TIamServiceParams& params) : Params_(params) {}

TCredentialsProviderPtr CreateProvider() const final {
return std::make_shared<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>>(Params_,
[params = Params_](TRequest& req) {
req.set_service_id(params.ServiceId);
req.set_microservice_id(params.MicroserviceId);
req.set_resource_id(params.ResourceId);
req.set_resource_type(params.ResourceType);
req.set_target_service_account_id(params.TargetServiceAccountId);
}, &TService::Stub::AsyncCreateForService);
}

private:
TIamServiceParams Params_;
};

}
14 changes: 14 additions & 0 deletions ydb/public/sdk/cpp/src/client/iam_private/common/ya.make
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
LIBRARY()

INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc)

SRCS(
iam.h
)

PEERDIR(
ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common
ydb/public/sdk/cpp/src/client/iam/common
)

END()
20 changes: 15 additions & 5 deletions ydb/public/sdk/cpp/src/client/iam_private/iam.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
#include <ydb-cpp-sdk/client/iam_private/iam.h>
#include "common/iam.h"

#include <src/client/iam/common/iam.h>
#include <ydb-cpp-sdk/client/iam_private/iam.h>

#include <ydb/public/api/client/yc_private/iam/iam_token_service.pb.h>
#include <ydb/public/api/client/yc_private/iam/iam_token_service.grpc.pb.h>

using namespace yandex::cloud::priv::iam::v1;

namespace NYdb::inline V3 {

TCredentialsProviderFactoryPtr CreateIamJwtCredentialsProviderFactoryImplPrivate(TIamJwtParams&& jwtParams) {
return std::make_shared<TIamJwtCredentialsProviderFactory<
yandex::cloud::priv::iam::v1::CreateIamTokenRequest,
yandex::cloud::priv::iam::v1::CreateIamTokenResponse,
yandex::cloud::priv::iam::v1::IamTokenService
CreateIamTokenRequest,
CreateIamTokenResponse,
IamTokenService
>>(std::move(jwtParams));
}

Expand All @@ -25,4 +27,12 @@ TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPriva
return CreateIamJwtCredentialsProviderFactoryImplPrivate(std::move(jwtParams));
}

TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params) {
return std::make_shared<TIamServiceCredentialsProviderFactory<
CreateIamTokenForServiceRequest,
CreateIamTokenResponse,
IamTokenService
>>(std::move(params));
}

}
2 changes: 1 addition & 1 deletion ydb/public/sdk/cpp/src/client/iam_private/ya.make
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ SRCS(

PEERDIR(
ydb/public/api/client/yc_private/iam
ydb/public/sdk/cpp/src/client/iam/common
ydb/public/sdk/cpp/src/client/iam_private/common
)

END()
Loading