GCP IID and Additional Principals

[bigeasy]

I've been working through DIY tutorial with GCP as my target for hosts instead of AWS. I've adapted the cloud-init script to use the GCP provisioner. This is the script below.

CA_URL=https://ca.prettyrobots.com
CA_FINGERPRINT=ba40a85433eafa2a4e77b200066883488affce6ad6ab478efc6521723c0e1aaa

STEPCLI_VERSION="0.18.0"

curl -LO "https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb"
dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb

step ca bootstrap --force --ca-url $CA_URL --fingerprint $CA_FINGERPRINT

step ssh config --roots > $(step path)/certs/ssh_user_key.pub

# Found that I didn't have to do this myself as in the DIY `cloud-init` example. I've
# left it here for reference.
AUDIENCE="https%3A%2F%2Fca.prettyrobots.com%2F1.0%2Fsign%23gcp%2FGoogle%20Cloud"
TOKEN=$(curl -s -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=${AUDIENCE}&format=full")

sleep 1

step ssh certificate --provisioner "Google Cloud"  --host --sign \
    --principal sandbox.prettyrobots.com sandbox.prettyrobots.com /etc/ssh/ssh_host_ecdsa_key.pub
 

When I run this script it will not add the additional principals to the signature.

 % ssh-keygen -L -f /etc/ssh/ssh_host_ecdsa_key-cert.pub
/etc/ssh/ssh_host_ecdsa_key-cert.pub:
        Type: [email protected] host certificate
        Public key: ECDSA-CERT SHA256:VbSYCeAI9yfDu7FpIxeB5g0Lo5aClyYO6PAf/ZK8gXQ
        Signing CA: ECDSA SHA256:ay+MZ6bWeqAaA6IC3CcGJTSmB28mAdRqwQOj+aZAUb4 (using ecdsa-sha2-nistp256)
        Key ID: "sandbox--prettyrobots--com"
        Serial: 4682474727083798602
        Valid: from 2021-12-19T05:17:48 to 2022-01-18T05:18:48
        Principals:
                sandbox--prettyrobots--com.c.prettyrobots-sandbox.internal
                sandbox--prettyrobots--com.us-central1-b.c.prettyrobots-sandbox.internal
        Critical Options: (none)
        Extensions: (none)

However when I sign using the JWK provisioner the principals appear.

 % sudo step ssh certificate --force --password-file password.txt --provisioner [email protected] --host --sign --principal sandbox.prettyrobots.com sandbox.prettyrobots.com /etc/ssh/ssh_host_ecdsa_key.pub
✔ Provisioner: [email protected] (JWK) [kid: TzQ_5FTMJ1mFNvejVrr3m4MjBcJY_bONAVMwb97LsHQ]
✔ CA: https://ca.prettyrobots.com
✔ Certificate: /etc/ssh/ssh_host_ecdsa_key-cert.pub
 % ssh-keygen -L -f /etc/ssh/ssh_host_ecdsa_key-cert.pub                                                                                             ~ sandbox
/etc/ssh/ssh_host_ecdsa_key-cert.pub:
        Type: [email protected] host certificate
        Public key: ECDSA-CERT SHA256:VbSYCeAI9yfDu7FpIxeB5g0Lo5aClyYO6PAf/ZK8gXQ
        Signing CA: ECDSA SHA256:ay+MZ6bWeqAaA6IC3CcGJTSmB28mAdRqwQOj+aZAUb4 (using ecdsa-sha2-nistp256)
        Key ID: "alan.prettyrobots.com"
        Serial: 9237869711686903955
        Valid: from 2021-12-19T05:28:36 to 2022-01-18T05:29:36
        Principals:
                sandbox.prettyrobots.com
        Critical Options: (none)
        Extensions: (none)
 

I noticed in the logs that the GCP provisioner request does not send the principals. It makes me wonder if I have something configured incorrectly on the client side of if I've neglected to add a command line switch.

{
  "aud": "https://ca.prettyrobots.com/1.0/sign#gcp/Google%20Cloud",
  "azp": "106715411475416313306",
  "email": "[email protected]",
  "email_verified": true,
  "exp": 1639894728,
  "google": {
    "compute_engine": {
      "instance_creation_timestamp": 1639886317,
      "instance_id": "40073061689688340",
      "instance_name": "sandbox--prettyrobots--com",
      "project_id": "prettyrobots-sandbox",
      "project_number": 130853332444,
      "zone": "us-central1-b"
    }
  },
  "iat": 1639891128,
  "iss": "https://accounts.google.com",
  "sub": "106715411475416313306"
}

The payload from the JWT token given to GCP is above The following is for JWK.

{
  "aud": "https://ca.prettyrobots.com/1.0/ssh/sign",
  "exp": 1639896558,
  "iat": 1639896258,
  "iss": "[email protected]",
  "jti": "e20815a78a04196a4e19e2f6208d6ac73c5e8529f39b6f96b3c81f902198e0fe",
  "nbf": 1639896258,
  "sha": "ba40a85433eafa2a4e77b200066883488affce6ad6ab478efc6521723c0e1aaa",
  "step": {
    "ssh": {
      "certType": "host",
      "keyID": "sandbox.prettyrobots.com",
      "principals": [
        "sandbox.prettyrobots.com"
      ],
      "validAfter": "",
      "validBefore": ""
    }
  },
  "sub": "sandbox.prettyrobots.com"
}

Here is the configuration for for GCP provisioner. It's been softened to allow for debugging.

   {
      "type": "GCP",
      "name": "Google Cloud",
      "serviceAccounts": null,
      "projectIDs": [
         "prettyrobots-sandbox"
      ],
      "disableCustomSANs": false,
      "disableTrustOnFirstUse": true,
      "instanceAge": "0s",
      "claims": {
         "maxTLSCertDuration": "2160h0m0s",
         "defaultTLSCertDuration": "2160h0m0s",
         "disableRenewal": true,
         "enableSSHCA": true
      },
      "options": {
         "x509": {
            "templateFile": "/home/step/config/x509_leaf.tpl"
         },
         "ssh": {
            "templateFile": "/home/step/config/ssh.tpl"
         }
      }
   }

The above examples were run in the order presented on a fresh GCP instance.

I've since moved onto using the JWK-based strategy and I'm happy with it, but I'm curious as to what I was doing wrong here.

[maraino]

Hi @bigeasy, I'm not sure what is wrong, I've just tested it with this configuration:

{
    "type": "GCP",
    "name": "GCP Provisioner",
    "serviceAccounts": ["REDACTED"],
    "projectIDs": ["REDACTED"],
    "disableCustomSANs": false,
    "disableTrustOnFirstUse": false,
    "instanceAge": "0s"
}

And running:

$ step ssh certificate --force --provisioner "GCP Provisioner" --host --principal sandbox.prettyrobots.com --sign sandbox.prettyrobots.com test.pub
✔ Provisioner: GCP Provisioner (GCP)
✔ CA: https://redacted
✔ Certificate: test-cert.pub
$ step ssh inspect test-cert.pub
test-cert.pub:
        Type: [email protected] host certificate
        Public key: ECDSA-CERT SHA256:/FtJtNVo7s1rVV2/Rc5y/hxsEXUvdMW7yID+vJD6zkI
        Signing CA: ECDSA SHA256:ETe0/7qtAOEkC3IKmL/MIjC9HIa8n6JL3C7jyFEP/3s
        Key ID: "REDACTED"
        Serial: 70329803775670899
        Valid: from 2021-12-28T12:47:50 to 2022-01-27T12:48:50
        Principals:
                sandbox.prettyrobots.com
        Critical Options: (none)
        Extensions: (none)

And it also works with "disableTrustOnFirstUse": true and "serviceAccounts": null.

In my case, step is obtaining the token automatically, but it should be the same.

My "enableSSHCA": true claim is at the authority level, that's why I don't have it in the configuration above, and I'm using the default template instead of a custom one like you (options.ssh), my guess this is the problem.

This is the default one used on GCP, here we use the principals passed using step and we validate the generated one according to the provisioner configuration:

{
	"type": {{ toJson .Type }},
	"keyId": {{ toJson .KeyID }},
{{- if .Insecure.CR.Principals }}
	"principals": {{ toJson .Insecure.CR.Principals }},
{{- else }}
	"principals": {{ toJson .Principals }},
{{- end }}
	"extensions": {{ toJson .Extensions }}
}