Skip to content

feat(pam): add GCP Service Account proxy and gateway handler#301

Merged
bernie-g merged 9 commits into
mainfrom
bernie/pam-315-gcp-service-account-access
Jul 7, 2026
Merged

feat(pam): add GCP Service Account proxy and gateway handler#301
bernie-g merged 9 commits into
mainfrom
bernie/pam-315-gcp-service-account-access

Conversation

@bernie-g

@bernie-g bernie-g commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds CLI-side local proxy that configures gcloud to route through an Infisical gateway
  • Gateway-side HTTP forward proxy performs TLS MITM to inject GCP Bearer tokens into requests
  • Credential cache TTL capped at 1 hour to match GCP token lifetime

Companion backend PR: Infisical/infisical#7193

Test plan

  • Start a GCP Service Account PAM session via infisical pam access
  • Verify gcloud commands (e.g. gcloud compute instances list) work through the proxy
  • Verify proxy settings are reverted on shutdown

bernie-g added 7 commits June 29, 2026 20:35
Add CLI-side local proxy that configures gcloud to route through an
Infisical gateway, and a gateway-side HTTP forward proxy that performs
TLS MITM to inject GCP Bearer tokens into requests.
GCP access tokens max out at 3600s. For sessions longer than 1 hour,
the cached token would go stale. Cap the cache TTL so the gateway
re-fetches a fresh token before the old one expires.
Reject hosts containing @ to prevent URL userinfo trick where
googleapis.com:443@attacker.example passes the suffix check but
url.Parse resolves to the attacker's host, leaking the bearer token.
@infisical-review-police

Copy link
Copy Markdown

💬 Discussion in Slack: #pr-review-cli-301-feat-pam-add-gcp-service-account-proxy-and-gateway-handler

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

@linear

linear Bot commented Jul 7, 2026

Copy link
Copy Markdown

PAM-315

@gitguardian

gitguardian Bot commented Jul 7, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
34388528 Triggered Generic Database Assignment 77eebc7 packages/pam/local/access.go View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@bernie-g bernie-g marked this pull request as ready for review July 7, 2026 15:31
@greptile-apps

greptile-apps Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds GCP Service Account PAM support: a CLI-side local proxy that auto-configures gcloud to route through an Infisical gateway, and a gateway-side HTTP forward proxy that performs TLS MITM to inject GCP Bearer tokens into requests.

  • packages/pam/handlers/gcp/proxy.go — new gateway handler: validates Host headers against a GCP allowlist, terminates TLS using a per-connection CA, injects the Bearer token, and forwards to googleapis.com. Contains an SSRF bypass in isGCPHost and unbounded request body buffering.
  • packages/pam/local/gcp-proxy.go — new CLI proxy: generates a local CA, configures gcloud via gcloud config set, relays each connection to the gateway (sending the CA cert and private key over the relay), and reverts settings on shutdown.
  • Supporting files (model.go, credentials.go, uploader.go, pam-proxy.go, access.go) correctly wire up the new resource type end-to-end.

Confidence Score: 3/5

The gateway host-allowlist check has a bypass that allows forwarding requests to arbitrary internet hosts from the gateway network; this should be fixed before merging.

The core logic in isGCPHost uses a suffix match without sanitizing URL-special characters like #. A crafted Host header such as evil.com#.googleapis.com passes the check but resolves to evil.com once passed to url.Parse, so the gateway can be directed at arbitrary hosts. Additionally, the CA private key travels over the relay wire on every connection, broadening the blast radius of any relay compromise. The supporting scaffolding (credential mapping, uploader, routing) is sound, and the TTL capping for GCP tokens is correct.

packages/pam/handlers/gcp/proxy.go — isGCPHost and handleRequest need URL-safe host validation; packages/pam/local/gcp-proxy.go — CA key transmission design warrants a second look

Security Review

  • SSRF bypass in isGCPHost (packages/pam/handlers/gcp/proxy.go): The Host allowlist check uses strings.HasSuffix(h, \".googleapis.com\"). A Host value like evil.com#.googleapis.com passes the suffix check but causes url.Parse to treat # as a fragment delimiter, making the effective destination evil.com. The gateway would then forward the request to an arbitrary host reachable from its network. The same bypass applies in handleConnect.
  • CA private key transmitted to gateway (packages/pam/local/gcp-proxy.go): The TLS MITM CA's private key is sent from the client to the gateway over the relay on every connection. Compromise of the relay transport exposes a key capable of signing trusted certificates for all *.googleapis.com domains.

Important Files Changed

Filename Overview
packages/pam/handlers/gcp/proxy.go New gateway-side HTTP forward proxy with TLS MITM for GCP; contains an SSRF bypass in isGCPHost (fragment char # not stripped before suffix check) and unbounded io.ReadAll on request bodies
packages/pam/local/gcp-proxy.go New CLI-side local proxy that auto-configures gcloud and relays connections to the gateway; transmits CA private key to gateway on every connection, raising key-exposure concerns
packages/pam/pam-proxy.go Adds GCP service account routing and correctly caps credential cache TTL to 1 hour to match GCP token lifetime
packages/pam/session/uploader.go Extends resource-type regex and upload path for GCP sessions; error message on upload still reads "Kubernetes session file" for GCP resource type
packages/pam/session/credentials.go Adds Token and ServiceAccountEmail fields to PAMCredentials struct and maps them from the API response; straightforward and correct
packages/api/model.go Adds Token and ServiceAccountEmail to PAMSessionCredentials API model; clean addition
packages/pam/local/access.go Adds gcp-service-account constant and routes it to startGCPProxy; straightforward

Comments Outside Diff (1)

  1. packages/pam/session/uploader.go, line 696-700 (link)

    P2 The error message still says "Kubernetes session file" when the resource type is gcp-service-account. This will be misleading in production logs and makes debugging harder.

    Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Reviews (1): Last reviewed commit: "Rename GCP IAM to GCP Service Account in..." | Re-trigger Greptile

Comment thread packages/pam/handlers/gcp/proxy.go
Comment thread packages/pam/local/gcp-proxy.go
Comment thread packages/pam/handlers/gcp/proxy.go
Comment thread packages/pam/handlers/gcp/proxy.go
@veria-ai

veria-ai Bot commented Jul 7, 2026

Copy link
Copy Markdown

PR overview

All previously flagged issues have been addressed. No open security concerns remain on this pull request.

Security review

No open security issues remain on this pull request.

Fixed/addressed: 1 · PR risk: 0/10

bernie-g added 2 commits July 7, 2026 12:58
Large GCS uploads or downloads could force the gateway to buffer the
entire payload into memory for audit logging. Cap the logged body to
1 MiB while still streaming the full content to the client.
@bernie-g bernie-g merged commit 3f6d383 into main Jul 7, 2026
26 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants