aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBulat <brgayazov@yandex-team.ru>2025-02-21 21:05:40 +0300
committerGitHub <noreply@github.com>2025-02-21 21:05:40 +0300
commitca757b2705774020ea7e90f456b2e0d8063ce370 (patch)
tree302e5452a7e9d6ca08e10ff7b01f701b219e3943
parent6c53efdf3dcfe8c9dbc836293b87eab745157c0d (diff)
downloadydb-ca757b2705774020ea7e90f456b2e0d8063ce370.tar.gz
Add CredentialsProvider for system service account (SSA) in C++ SDK (#14861)
-rw-r--r--ydb/public/api/client/yc_private/iam/iam_token_service.proto11
-rw-r--r--ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h15
-rw-r--r--ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make13
-rw-r--r--ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h5
-rw-r--r--ydb/public/sdk/cpp/src/client/iam/common/iam.h21
-rw-r--r--ydb/public/sdk/cpp/src/client/iam_private/common/iam.h28
-rw-r--r--ydb/public/sdk/cpp/src/client/iam_private/common/ya.make14
-rw-r--r--ydb/public/sdk/cpp/src/client/iam_private/iam.cpp20
-rw-r--r--ydb/public/sdk/cpp/src/client/iam_private/ya.make2
9 files changed, 116 insertions, 13 deletions
diff --git a/ydb/public/api/client/yc_private/iam/iam_token_service.proto b/ydb/public/api/client/yc_private/iam/iam_token_service.proto
index 74c03d778b..bb5a8634a2 100644
--- a/ydb/public/api/client/yc_private/iam/iam_token_service.proto
+++ b/ydb/public/api/client/yc_private/iam/iam_token_service.proto
@@ -18,6 +18,9 @@ service IamTokenService {
// create iam token for service account
rpc CreateForServiceAccount (CreateIamTokenForServiceAccountRequest) returns (CreateIamTokenResponse);
+ // create iam token for service
+ rpc CreateForService (CreateIamTokenForServiceRequest) returns (CreateIamTokenResponse);
+
// create iam token for compute instance
rpc CreateForComputeInstance (CreateIamTokenForComputeInstanceRequest) returns (CreateIamTokenResponse);
@@ -50,6 +53,14 @@ message CreateIamTokenForServiceAccountRequest {
string service_account_id = 1;
}
+message CreateIamTokenForServiceRequest {
+ string service_id = 1;
+ string microservice_id = 2;
+ string resource_id = 3;
+ string resource_type = 4;
+ string target_service_account_id = 5;
+}
+
message CreateIamTokenForComputeInstanceRequest {
string service_account_id = 1;
string instance_id = 2;
diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h
new file mode 100644
index 0000000000..f7f070671e
--- /dev/null
+++ b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h
@@ -0,0 +1,15 @@
+#pragma once
+
+#include <ydb-cpp-sdk/client/iam/common/types.h>
+
+namespace NYdb::inline V3 {
+
+struct TIamServiceParams : TIamEndpoint {
+ std::string ServiceId;
+ std::string MicroserviceId;
+ std::string ResourceId;
+ std::string ResourceType;
+ std::string TargetServiceAccountId;
+};
+
+}
diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make
new file mode 100644
index 0000000000..e8c2e25fc7
--- /dev/null
+++ b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make
@@ -0,0 +1,13 @@
+LIBRARY(client-iam-private-common-include)
+
+INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc)
+
+SRCS(
+ types.h
+)
+
+PEERDIR(
+ ydb/public/sdk/cpp/src/client/iam/common
+)
+
+END()
diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h
index c4373c9478..48dd5ae61c 100644
--- a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h
+++ b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h
@@ -1,5 +1,7 @@
#pragma once
+#include "common/types.h"
+
#include <ydb-cpp-sdk/client/iam/common/types.h>
namespace NYdb::inline V3 {
@@ -10,4 +12,7 @@ TCredentialsProviderFactoryPtr CreateIamJwtFileCredentialsProviderFactoryPrivate
/// Acquire an IAM token using JSON Web Token (JWT) contents.
TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPrivate(const TIamJwtContent& param);
+/// Acquire an IAM token for system service account (SSA).
+TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params);
+
} // namespace NYdb
diff --git a/ydb/public/sdk/cpp/src/client/iam/common/iam.h b/ydb/public/sdk/cpp/src/client/iam/common/iam.h
index c7f7742c5a..22bd10e5fc 100644
--- a/ydb/public/sdk/cpp/src/client/iam/common/iam.h
+++ b/ydb/public/sdk/cpp/src/client/iam/common/iam.h
@@ -19,12 +19,19 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
protected:
using TRequestFiller = std::function<void(TRequest&)>;
+ using TSimpleRpc =
+ typename NYdbGrpc::TSimpleRequestProcessor<
+ typename TService::Stub,
+ TRequest,
+ TResponse>::TAsyncRequest;
+
private:
class TImpl : public std::enable_shared_from_this<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>::TImpl> {
public:
- TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller)
+ TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc)
: Client(std::make_unique<NYdbGrpc::TGRpcClientLow>())
, Connection_(nullptr)
+ , Rpc_(rpc)
, Ticket_("")
, NextTicketUpdate_(TInstant::Zero())
, IamEndpoint_(iamEndpoint)
@@ -67,7 +74,7 @@ private:
Connection_->template DoRequest<TRequest, TResponse>(
std::move(req),
std::move(cb),
- &TService::Stub::AsyncCreate,
+ Rpc_,
{ {}, {}, IamEndpoint_.RequestTimeout }
);
@@ -142,9 +149,9 @@ private:
}
private:
-
std::unique_ptr<NYdbGrpc::TGRpcClientLow> Client;
std::unique_ptr<NYdbGrpc::TServiceConnection<TService>> Connection_;
+ TSimpleRpc Rpc_;
std::string Ticket_;
TInstant NextTicketUpdate_;
const TIamEndpoint IamEndpoint_;
@@ -157,8 +164,8 @@ private:
};
public:
- TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller)
- : Impl_(std::make_shared<TImpl>(endpoint, requestFiller))
+ TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc)
+ : Impl_(std::make_shared<TImpl>(endpoint, requestFiller, rpc))
{
Impl_->UpdateTicket(true);
}
@@ -186,7 +193,7 @@ public:
: TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params,
[jwtParams = params.JwtParams](TRequest& req) {
req.set_jwt(MakeSignedJwt(jwtParams));
- }) {}
+ }, &TService::Stub::AsyncCreate) {}
};
template<typename TRequest, typename TResponse, typename TService>
@@ -196,7 +203,7 @@ public:
: TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params,
[token = params.OAuthToken](TRequest& req) {
req.set_yandex_passport_oauth_token(TStringType{token});
- }) {}
+ }, &TService::Stub::AsyncCreate) {}
};
template<typename TRequest, typename TResponse, typename TService>
diff --git a/ydb/public/sdk/cpp/src/client/iam_private/common/iam.h b/ydb/public/sdk/cpp/src/client/iam_private/common/iam.h
new file mode 100644
index 0000000000..bbc09b0d34
--- /dev/null
+++ b/ydb/public/sdk/cpp/src/client/iam_private/common/iam.h
@@ -0,0 +1,28 @@
+#include <ydb-cpp-sdk/client/iam_private/common/types.h>
+
+#include <src/client/iam/common/iam.h>
+
+namespace NYdb::inline V3 {
+
+template<typename TRequest, typename TResponse, typename TService>
+
+class TIamServiceCredentialsProviderFactory : public ICredentialsProviderFactory {
+public:
+ TIamServiceCredentialsProviderFactory(const TIamServiceParams& params) : Params_(params) {}
+
+ TCredentialsProviderPtr CreateProvider() const final {
+ return std::make_shared<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>>(Params_,
+ [params = Params_](TRequest& req) {
+ req.set_service_id(params.ServiceId);
+ req.set_microservice_id(params.MicroserviceId);
+ req.set_resource_id(params.ResourceId);
+ req.set_resource_type(params.ResourceType);
+ req.set_target_service_account_id(params.TargetServiceAccountId);
+ }, &TService::Stub::AsyncCreateForService);
+ }
+
+private:
+ TIamServiceParams Params_;
+};
+
+}
diff --git a/ydb/public/sdk/cpp/src/client/iam_private/common/ya.make b/ydb/public/sdk/cpp/src/client/iam_private/common/ya.make
new file mode 100644
index 0000000000..a2990e6345
--- /dev/null
+++ b/ydb/public/sdk/cpp/src/client/iam_private/common/ya.make
@@ -0,0 +1,14 @@
+LIBRARY()
+
+INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc)
+
+SRCS(
+ iam.h
+)
+
+PEERDIR(
+ ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common
+ ydb/public/sdk/cpp/src/client/iam/common
+)
+
+END()
diff --git a/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp b/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp
index 09d7e56683..67268c942c 100644
--- a/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp
+++ b/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp
@@ -1,17 +1,19 @@
-#include <ydb-cpp-sdk/client/iam_private/iam.h>
+#include "common/iam.h"
-#include <src/client/iam/common/iam.h>
+#include <ydb-cpp-sdk/client/iam_private/iam.h>
#include <ydb/public/api/client/yc_private/iam/iam_token_service.pb.h>
#include <ydb/public/api/client/yc_private/iam/iam_token_service.grpc.pb.h>
+using namespace yandex::cloud::priv::iam::v1;
+
namespace NYdb::inline V3 {
TCredentialsProviderFactoryPtr CreateIamJwtCredentialsProviderFactoryImplPrivate(TIamJwtParams&& jwtParams) {
return std::make_shared<TIamJwtCredentialsProviderFactory<
- yandex::cloud::priv::iam::v1::CreateIamTokenRequest,
- yandex::cloud::priv::iam::v1::CreateIamTokenResponse,
- yandex::cloud::priv::iam::v1::IamTokenService
+ CreateIamTokenRequest,
+ CreateIamTokenResponse,
+ IamTokenService
>>(std::move(jwtParams));
}
@@ -25,4 +27,12 @@ TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPriva
return CreateIamJwtCredentialsProviderFactoryImplPrivate(std::move(jwtParams));
}
+TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params) {
+ return std::make_shared<TIamServiceCredentialsProviderFactory<
+ CreateIamTokenForServiceRequest,
+ CreateIamTokenResponse,
+ IamTokenService
+ >>(std::move(params));
+}
+
}
diff --git a/ydb/public/sdk/cpp/src/client/iam_private/ya.make b/ydb/public/sdk/cpp/src/client/iam_private/ya.make
index 251d348307..ce4b7a5129 100644
--- a/ydb/public/sdk/cpp/src/client/iam_private/ya.make
+++ b/ydb/public/sdk/cpp/src/client/iam_private/ya.make
@@ -8,7 +8,7 @@ SRCS(
PEERDIR(
ydb/public/api/client/yc_private/iam
- ydb/public/sdk/cpp/src/client/iam/common
+ ydb/public/sdk/cpp/src/client/iam_private/common
)
END()