Support Impersonate Service Account

Added support for Impersonate Service Account as a way to send a Request to IAP without creating a Service Account Key.
https://cloud.google.com/iam/docs/impersonating-service-accounts

Author: sinmetal

README.md

@@ -5,12 +5,22 @@ iap_curl
 
 ## Usage
 
+### Option1: Use Application Default Credential
+
 ```console
 $ export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
 $ export IAP_CLIENT_ID="342624545358-asdfd8fas9df8sd7ga0sdguadfpvqp69.apps.googleusercontent.com"
 $ iap_curl http://iap-protected.webapp.com
 ```
 
+### Option2: Use [Impersonate Service Account](https://cloud.google.com/iam/docs/impersonating-service-accounts)
+
+```console
+$ export CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT="client@project-id.iam.gserviceaccount.com"
+$ export IAP_CLIENT_ID="342624545358-asdfd8fas9df8sd7ga0sdguadfpvqp69.apps.googleusercontent.com"
+$ iap_curl http://iap-protected.webapp.com
+```
+
 The options of `iap_curl` are fully compatible with `curl` command.
 
 If you want to use [httpstat](https://github.com/b4b4r07/httpstat) instead of `curl`, please specify `IAP_CURL_BIN` environment variable:
@@ -50,6 +60,8 @@ Body discarded
 
 You can save the URL of frequently used service together with its Env (`IAP_CLIENT_ID` ...) in a JSON file (see also [#1](https://github.com/b4b4r07/iap_curl/issues/1)). This file is located in `~/.config/iap_curl/config.json`.
 
+### Option1: Use Application Default Credential
+
 ```json
 {
   "services": [
@@ -65,6 +77,23 @@ You can save the URL of frequently used service together with its Env (`IAP_CLIE
 }
 ```
 
+### Option2: Use [Impersonate Service Account](https://cloud.google.com/iam/docs/impersonating-service-accounts)
+
+```json
+{
+  "services": [
+    {
+      "url": "https://my.service.com/health",
+      "env": {
+        "CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT": "client@project-id.iam.gserviceaccount.com",
+        "IAP_CLIENT_ID": "839558305167-s3akt4doo38lckhaac1ucfdp0e4921tc.apps.googleusercontent.com",
+        "IAP_CURL_BIN": "curl"
+      }
+    }
+  ]
+}
+```
+
 Thanks to that, you can access more easier like curl.
 
 ```console

config.go

@@ -16,9 +16,10 @@ import (
 )
 
 const (
-	envCredentials = "GOOGLE_APPLICATION_CREDENTIALS"
-	envClientID    = "IAP_CLIENT_ID"
-	envCurlCommand = "IAP_CURL_BIN"
+	envCredentials               = "GOOGLE_APPLICATION_CREDENTIALS"
+	envImpersonateServiceAccount = "CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT"
+	envClientID                  = "IAP_CLIENT_ID"
+	envCurlCommand               = "IAP_CURL_BIN"
 )
 
 // Config represents
@@ -37,9 +38,10 @@ type Service struct {
 
 // Env represents the environment variables needed to request to IAP-protected app
 type Env struct {
-	Credentials string `json:"GOOGLE_APPLICATION_CREDENTIALS"`
-	ClientID    string `json:"IAP_CLIENT_ID"`
-	Binary      string `json:"IAP_CURL_BIN"`
+	Credentials               string `json:"GOOGLE_APPLICATION_CREDENTIALS"`
+	ImpersonateServiceAccount string `json:"CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT"`
+	ClientID                  string `json:"IAP_CLIENT_ID"`
+	Binary                    string `json:"IAP_CURL_BIN"`
 }
 
 func configDir() (string, error) {
@@ -125,19 +127,23 @@ func (cfg *Config) getEnvFromFile(url string) (env Env, err error) {
 func (cfg *Config) GetEnv(url string) (env Env, err error) {
 	env, _ = cfg.getEnvFromFile(url)
 	credentials := os.Getenv(envCredentials)
+	impersonateServiceAccount := os.Getenv(envImpersonateServiceAccount)
 	clientID := os.Getenv(envClientID)
 	binary := os.Getenv(envCurlCommand)
 	if credentials == "" {
 		credentials, _ = homedir.Expand(env.Credentials)
 	}
+	if impersonateServiceAccount == "" {
+		impersonateServiceAccount, _ = homedir.Expand(env.ImpersonateServiceAccount)
+	}
 	if clientID == "" {
 		clientID = env.ClientID
 	}
 	if binary == "" {
 		binary = env.Binary
 	}
-	if credentials == "" {
-		return env, fmt.Errorf("%s is missing", envCredentials)
+	if credentials == "" && impersonateServiceAccount == "" {
+		return env, fmt.Errorf("%s and %s is missing. Either is required", envCredentials, envImpersonateServiceAccount)
 	}
 	if clientID == "" {
 		return env, fmt.Errorf("%s is missing", envClientID)
@@ -146,9 +152,10 @@ func (cfg *Config) GetEnv(url string) (env Env, err error) {
 		binary = "curl"
 	}
 	return Env{
-		Credentials: credentials,
-		ClientID:    clientID,
-		Binary:      binary,
+		Credentials:               credentials,
+		ImpersonateServiceAccount: impersonateServiceAccount,
+		ClientID:                  clientID,
+		Binary:                    binary,
 	}, nil
 }
 

go.mod

@@ -3,14 +3,9 @@ module github.com/b4b4r07/iap_curl
 go 1.12
 
 require (
-	cloud.google.com/go v0.16.0 // indirect
 	github.com/alessio/shellescape v0.0.0-20190409004728-b115ca0f9053 // indirect
-	github.com/golang/protobuf v0.0.0-20171113180720-1e59b77b52bf // indirect
+	github.com/apstndb/tokensource v0.0.0-20210528072307-642759746b05
 	github.com/hashicorp/logutils v1.0.0
 	github.com/mitchellh/go-homedir v0.0.0-20161203194507-b8bc1bf76747
-	golang.org/x/net v0.0.0-20171123081856-c7086645de24 // indirect
-	golang.org/x/oauth2 v0.0.0-20171117235251-f95fa95eaa93
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e // indirect
-	google.golang.org/appengine v1.0.0 // indirect
 	gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61
 )