final fix to make service account impersonation work with iap tunnels (#10054)

2020-10-06 12:34:06 -07:00 · 2020-10-06 12:34:06 -07:00 · 61c6085651
parent d05eb3401b
commit 61c6085651
2 changed files with 14 additions and 8 deletions
--- a/builder/googlecompute/builder.go
+++ b/builder/googlecompute/builder.go
@ -77,10 +77,11 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 			Debug: b.config.PackerDebug,
 		},
 		&StepStartTunnel{
-			IAPConf:     &b.config.IAPConfig,
-			CommConf:    &b.config.Comm,
-			AccountFile: b.config.AccountFile,
-			ProjectId:   b.config.ProjectId,
+			IAPConf:            &b.config.IAPConfig,
+			CommConf:           &b.config.Comm,
+			AccountFile:        b.config.AccountFile,
+			ImpersonateAccount: b.config.ImpersonateServiceAccount,
+			ProjectId:          b.config.ProjectId,
 		},
 		&communicator.StepConnect{
 			Config:      &b.config.Comm,
--- a/builder/googlecompute/step_start_tunnel.go
+++ b/builder/googlecompute/step_start_tunnel.go
@ -131,10 +131,11 @@ func (e RetryableTunnelError) Error() string {
 }

 type StepStartTunnel struct {
-	IAPConf     *IAPConfig
-	CommConf    *communicator.Config
-	AccountFile string
-	ProjectId   string
+	IAPConf            *IAPConfig
+	CommConf           *communicator.Config
+	AccountFile        string
+	ImpersonateAccount string
+	ProjectId          string

 	tunnelDriver TunnelDriver
 }
@ -276,6 +277,10 @@ func (s *StepStartTunnel) Run(ctx context.Context, state multistep.StateBag) mul
 		"--zone", c.Zone, "--project", s.ProjectId,
 	}

+	if s.ImpersonateAccount != "" {
+		args = append(args, fmt.Sprintf("--impersonate-service-account='%s'", s.ImpersonateAccount))
+	}
+
 	// This is the port the IAP tunnel listens on, on localhost.
 	// TODO make setting LocalHostPort optional
 	err = ApplyIAPTunnel(s.CommConf, s.IAPConf.IAPLocalhostPort)