feat(pam): add GCP Service Account proxy and gateway handler#301
Conversation
Add CLI-side local proxy that configures gcloud to route through an Infisical gateway, and a gateway-side HTTP forward proxy that performs TLS MITM to inject GCP Bearer tokens into requests.
GCP access tokens max out at 3600s. For sessions longer than 1 hour, the cached token would go stale. Cap the cache TTL so the gateway re-fetches a fresh token before the old one expires.
Reject hosts containing @ to prevent URL userinfo trick where googleapis.com:443@attacker.example passes the suffix check but url.Parse resolves to the attacker's host, leaking the bearer token.
|
💬 Discussion in Slack: #pr-review-cli-301-feat-pam-add-gcp-service-account-proxy-and-gateway-handler Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 34388528 | Triggered | Generic Database Assignment | 77eebc7 | packages/pam/local/access.go | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
|
| Filename | Overview |
|---|---|
| packages/pam/handlers/gcp/proxy.go | New gateway-side HTTP forward proxy with TLS MITM for GCP; contains an SSRF bypass in isGCPHost (fragment char # not stripped before suffix check) and unbounded io.ReadAll on request bodies |
| packages/pam/local/gcp-proxy.go | New CLI-side local proxy that auto-configures gcloud and relays connections to the gateway; transmits CA private key to gateway on every connection, raising key-exposure concerns |
| packages/pam/pam-proxy.go | Adds GCP service account routing and correctly caps credential cache TTL to 1 hour to match GCP token lifetime |
| packages/pam/session/uploader.go | Extends resource-type regex and upload path for GCP sessions; error message on upload still reads "Kubernetes session file" for GCP resource type |
| packages/pam/session/credentials.go | Adds Token and ServiceAccountEmail fields to PAMCredentials struct and maps them from the API response; straightforward and correct |
| packages/api/model.go | Adds Token and ServiceAccountEmail to PAMSessionCredentials API model; clean addition |
| packages/pam/local/access.go | Adds gcp-service-account constant and routes it to startGCPProxy; straightforward |
Comments Outside Diff (1)
-
packages/pam/session/uploader.go, line 696-700 (link)The error message still says "Kubernetes session file" when the resource type is
gcp-service-account. This will be misleading in production logs and makes debugging harder.Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Reviews (1): Last reviewed commit: "Rename GCP IAM to GCP Service Account in..." | Re-trigger Greptile
PR overviewAll previously flagged issues have been addressed. No open security concerns remain on this pull request. Security reviewNo open security issues remain on this pull request. Fixed/addressed: 1 · PR risk: 0/10 |
Large GCS uploads or downloads could force the gateway to buffer the entire payload into memory for audit logging. Cap the logged body to 1 MiB while still streaming the full content to the client.
Summary
Companion backend PR: Infisical/infisical#7193
Test plan
infisical pam accessgcloud compute instances list) work through the proxy