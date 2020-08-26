YubiKey Introduction: GCP Service Account Key Generator

@ dinvlad Denis Loginov Google Certified Cloud Architect, Application Security Engineer, a novice writer

Or how to stop leakage of your keys once and for all

Service Account (SA) keys have been a long-standing way to access Google Cloud Platform (GCP) services from developer machines. However, these credentials, typically distributed as unencrypted JSON files, are prone to significant security weaknesses:

Most often, they’re accidentally leaked by the developer though a Git commit.They can also be unintentionally copied away from the machine by a backup process, and later on abused by someone else.A rogue process on the machine with access to the file system can send them straight to an abuser’s hands.

The impact of such leakage depends on which permissions a SA has. In addition, with so many keys being generated every day in big organizations, it can be challenging to even detect such abuse. Stories abound where one compromised high-privilege account could ruin an entire company’s wealth of data and reputation!

But does it have to be this way?

Some cloud platforms allow enforcement of 2-factor authentication (2FA) for long-term credential access. More specifically, for example, on AWS one can indicate that a certain group of users must exchange their long-term access key pair for temporary STS credentials, using an OTP code, which can be generated, for example, with a YubiKey.

This has not been the case on GCP. Up until recently, there has been no simple way to enforce 2-factor auth for access with a SA key, while also preventing key leakage.

As a compromise, someone from GCP suggested downloading a key and moving its private portion to a YubiKey, which can happily store such industry-standard private keys in one of its slots. After that, a special-purpose library could generate a Google ID JWT token signed with YubiKey’s private key. Finally, it could exchange the ID token for an OAuth 2.0 Google access token.

While this is a pretty decent solution, it still leaves a (smaller) potential for accidental leakage of SA keys, and is somewhat cumbersome to set up due to the many steps involved.

What if I told you that there’s now an easier, and more secure, way?

Enter google-yubikey!

This CLI tool takes a similar, but crucially different approach.

The private key is generated and converted to a certificate directly on the YubiKey, and then the public certificate can be uploaded to GCP instead!

This was made possible thanks to a recently discovered beta IAM API method (kudos to Lukas Karlsson for finding it!).

The procedure uses only 3 steps:

1. Generate the private key on the device, and store its public certificate into a file:

google-yubikey generate-key > yubikey.pem

2. Upload the public key either using gcloud SDK:

gcloud beta iam service-accounts keys upload yubikey.pem \ --iam-account <service_account_email>

or through Google Cloud Console:

3. Finally, generate an access or ID token:

google-yubikey token - a <service_account_email> [-t id]

We use OS-independent yubikey-manager library to interact with the YubiKey, and standard requests library to then optionally exchange the signed ID token for an access token.

Step 2 above requires interacting with a privileged user’s machine, who has a Service Account Key Admin role and has to sign in to GCP, so it is impossible to completely avoid storing long-term credentials on their machine. However, this is still a much stronger approach than simply allowing each developer to download a SA key on their own machine! A developer can now send their public certificate to an admin user, and rest assured their credential will not be accidentally leaked.

Step 3 is what a developer can use on the regular basis going forward. Additionally, they may follow step 2 to set up the same YubiKey with other SAs (even in other GCP projects!). This effectively makes the YubiKey represent the developer themselves across many SAs, without storing or transmitting their long-term credentials in an insecure fashion at any point.

Another benefit from using YubiKey is the ability to protect token generation with a PIN (as done by the google-yubikey tool). This effectively gives the developer a 2nd factor of authentication — something they have (YubiKey) + something they know (PIN). It is not as strong form of 2FA as an OTP code, but it does give an extra level of protection that’s harder to abuse, even if the device itself is stolen!

I hope that this new tool helps you secure your GCP developer workforce. Please let me know here, on Twitter, or open an issue on GitHub if you have any questions/concerns. I’d be happy to hear how you use it.

Disclaimer: this was a fun weekend hobby project, so the lack of tests and possibility of creating a black hole in the universe should be taken lightly ;)

Previously published at https://medium.com/@dinvlad/yubikey-as-a-gcp-service-account-key-255b838a718a

