Support Instance SA authentication (#19)

* add fetch token

* move token fetch to yc client init

* remove unnecessary and dangerous outputs

* linter

* ycsdk instance sa instead of curl yc-token

* remove unused code

Co-authored-by: Valentin Kiel <val-kiel@yandex-team.ru>

Author: valyankilyan

README.md

@@ -33,6 +33,8 @@ $ docker-machine create \
 
 ## Options
 
+If you haven't specified yc-token nor yc-service-account-key-file it will try to get Instance Service Account.
+
 - `--yandex-cloud-id`: Cloud ID
 - `--yandex-cores`: Count of virtual CPUs
 - `--yandex-core-fraction`: Core fraction
@@ -90,4 +92,4 @@ $ docker-machine create \
 | `--yandex-use-internal-ip` | YC_USE_INTERNAL_IP   | false                    |
 | `--yandex-userdata`        | YC_USERDATA          |                          |
 | `--yandex-zone`            | YC_ZONE              | ru-central1-a            |
----
+---

driver/client.go

@@ -4,15 +4,13 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/c2h5oh/datasize"
 	"github.com/docker/machine/libmachine/log"
 	"github.com/google/uuid"
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/yandex-cloud/go-genproto/yandex/cloud/compute/v1"
 	ycsdk "github.com/yandex-cloud/go-sdk"
-	"github.com/yandex-cloud/go-sdk/iamkey"
 	"github.com/yandex-cloud/go-sdk/pkg/requestid"
 	"github.com/yandex-cloud/go-sdk/pkg/retry"
 	"google.golang.org/grpc"
@@ -139,28 +137,9 @@ func prepareInstanceCreateRequest(d *Driver, imageID string) *compute.CreateInst
 }
 
 func NewYCClient(d *Driver) (*YCClient, error) {
-	if d.Token != "" && d.ServiceAccountKeyFile != "" {
-		return nil, errors.New("one of token or service account key file must be specified, not both")
-	}
-
-	var credentials ycsdk.Credentials
-	switch {
-	case d.Token != "":
-		if strings.HasPrefix(d.Token, "t1.") && strings.Count(d.Token, ".") == 2 {
-			credentials = ycsdk.NewIAMTokenCredentials(d.Token)
-		} else {
-			credentials = ycsdk.OAuthToken(d.Token)
-		}
-	case d.ServiceAccountKeyFile != "":
-		key, err := iamkey.ReadFromJSONFile(d.ServiceAccountKeyFile)
-		if err != nil {
-			return nil, err
-		}
-
-		credentials, err = ycsdk.ServiceAccountKey(key)
-		if err != nil {
-			return nil, err
-		}
+	credentials, err := d.Credentials()
+	if err != nil {
+		return nil, err
 	}
 
 	config := ycsdk.Config{

driver/driver.go

@@ -5,11 +5,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
 	"strings"
 	"text/template"
+	"time"
 
 	"github.com/docker/machine/libmachine/drivers"
 	"github.com/docker/machine/libmachine/log"
@@ -19,6 +19,8 @@ import (
 	"github.com/yandex-cloud/go-genproto/yandex/cloud/compute/v1"
 	"github.com/yandex-cloud/go-genproto/yandex/cloud/resourcemanager/v1"
 	"github.com/yandex-cloud/go-genproto/yandex/cloud/vpc/v1"
+	ycsdk "github.com/yandex-cloud/go-sdk"
+	"github.com/yandex-cloud/go-sdk/iamkey"
 )
 
 type Driver struct {
@@ -61,7 +63,7 @@ const (
 	defaultDiskSize      = 20
 	defaultDiskType      = "network-hdd"
 	defaultEndpoint      = "api.cloud.yandex.net:443"
-	defaultImageFamily   = "ubuntu-1604-lts"
+	defaultImageFamily   = "ubuntu-2004-lts"
 	defaultImageFolderID = StandardImagesFolderID
 	defaultMemory        = 1
 	defaultPlatformID    = "standard-v1"
@@ -245,13 +247,6 @@ func (d *Driver) SetConfigFromFlags(flags drivers.DriverOptions) error {
 	d.ServiceAccountKeyFile = flags.String("yandex-sa-key-file")
 	d.Token = flags.String("yandex-token")
 
-	switch {
-	case d.Token != "" && d.ServiceAccountKeyFile != "":
-		return fmt.Errorf("Yandex.Cloud driver requires one of token or service account key file, not both")
-	case d.Token == "" && d.ServiceAccountKeyFile == "":
-		return fmt.Errorf("A token or service account key file must be specified")
-	}
-
 	d.Cores = flags.Int("yandex-cores")
 	d.CoreFraction = flags.Int("yandex-core-fraction")
 	d.DiskSize = flags.Int("yandex-disk-size")
@@ -345,7 +340,7 @@ func (d *Driver) Create() error {
 		return err
 	}
 
-	publicKey, err := ioutil.ReadFile(d.publicSSHKeyPath())
+	publicKey, err := os.ReadFile(d.publicSSHKeyPath())
 	if err != nil {
 		return err
 	}
@@ -610,7 +605,7 @@ func (d *Driver) prepareUserData(publicKey string) (string, error) {
 
 	if d.UserDataFile != "" {
 		log.Infof("Use provided file %q with user-data", d.UserDataFile)
-		buf, err := ioutil.ReadFile(d.UserDataFile)
+		buf, err := os.ReadFile(d.UserDataFile)
 		if err != nil {
 			return "", err
 		}
@@ -623,6 +618,45 @@ func (d *Driver) prepareUserData(publicKey string) (string, error) {
 	return userData, nil
 }
 
+func (d *Driver) Credentials() (ycsdk.Credentials, error) {
+	if d.ServiceAccountKeyFile != "" && d.Token != "" {
+		return nil, fmt.Errorf("only one of 'token' or 'sa-key-file' should be specified")
+	}
+
+	if d.ServiceAccountKeyFile != "" {
+		key, err := iamkey.ReadFromJSONFile(d.ServiceAccountKeyFile)
+		if err != nil {
+			return nil, err
+		}
+		return ycsdk.ServiceAccountKey(key)
+	}
+
+	if d.Token != "" {
+		if strings.HasPrefix(d.Token, "t1.") && strings.Count(d.Token, ".") == 2 {
+			return ycsdk.NewIAMTokenCredentials(d.Token), nil
+		}
+		return ycsdk.OAuthToken(d.Token), nil
+	}
+
+	if sa := ycsdk.InstanceServiceAccount(); checkServiceAccountAvailable(context.Background(), sa) {
+		fmt.Println("Trying to get Instance Service Account.")
+		return sa, nil
+	}
+
+	return nil, fmt.Errorf("one of 'token' or 'sa-key-file' should be specified; if you are inside compute instance, you can attach service account to it in order to authenticate via instance service account")
+}
+
+func checkServiceAccountAvailable(ctx context.Context, sa ycsdk.NonExchangeableCredentials) bool {
+	dialer := net.Dialer{Timeout: 50 * time.Millisecond}
+	conn, err := dialer.Dial("tcp", net.JoinHostPort(ycsdk.InstanceMetadataAddr, "80"))
+	if err != nil {
+		return false
+	}
+	_ = conn.Close()
+	_, err = sa.IAMToken(ctx)
+	return err == nil
+}
+
 func defaultUserData(sshUserName, sshPublicKey string) (string, error) {
 	type templateData struct {
 		SSHUserName  string

driver/driver_test.go

@@ -1,7 +1,7 @@
 package driver
 
 import (
-	"io/ioutil"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -78,7 +78,7 @@ users:
 				require.Error(t, e, "error expected")
 			} else {
 				require.NoError(t, e, "no error expected, got one")
-				content, err := ioutil.ReadFile("testdata/" + tt.golden + ".golden")
+				content, err := os.ReadFile("testdata/" + tt.golden + ".golden")
 				if err != nil {
 					t.Fatalf("Error loading golden file: %s", err)
 				}

helper/options.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+
 	"github.com/docker/machine/libmachine/mcnflag"
 	"github.com/yandex-cloud/docker-machine-driver-yandex/driver"
 )

main.go

@@ -3,9 +3,10 @@ package main
 import (
 	"flag"
 	"fmt"
+	"os"
+
 	"github.com/docker/machine/libmachine/drivers/plugin"
 	"github.com/yandex-cloud/docker-machine-driver-yandex/driver"
-	"os"
 )
 
 // Version will be added once we start the build process