blob: d696e2e3a275b43e2ed7d784021672e7149c7ce4 [file] [log] [blame]
package main
Obtain an OAuth2 token from a service account key. Expects to run as root in a cron job.
import (
compute ""
// checkFilePerms returns an error if the given file is not owned and readable
// only by root. Requires that we're running on Linux.
func checkFilePerms(fp string) error {
info, err := os.Stat(fp)
if err != nil {
return fmt.Errorf("Failed to read file: %s", err)
fi, ok := info.Sys().(*syscall.Stat_t)
if !ok {
return fmt.Errorf("Got wrong type for FileInfo.Sys()!")
if fi.Uid != 0 {
return fmt.Errorf("File is not owned by root (UID = %d).", fi.Uid)
if fi.Gid != 0 {
return fmt.Errorf("File is not owned by root group (GID = %d).", fi.Gid)
if info.Mode() != 0600 {
return fmt.Errorf("File mode must be 0600 (is %d).", info.Mode())
return nil
func processServiceAccount(nickname string) error {
serviceAccountFile := fmt.Sprintf("/etc/service_account_%s.json", nickname)
dest := fmt.Sprintf("/var/local/token_%s.json", nickname)
// Verify that the key file is owned and readable only by root.
if err := checkFilePerms(serviceAccountFile); err != nil {
if dest == "" {
sklog.Fatalf("--dest is required.")
src, err := auth.NewJWTServiceAccountTokenSource("#bogus", serviceAccountFile, compute.CloudPlatformScope, auth.SCOPE_USERINFO_EMAIL)
if err != nil {
tok, err := src.Token()
if err != nil {
b, err := json.Marshal(tok)
if err != nil {
if err := ioutil.WriteFile(dest, b, 0644); err != nil {
sklog.Infof("Wrote new auth token: %s", tok.AccessToken[len(tok.AccessToken)-8:])
return nil
func main() {
hostname, err := os.Hostname()
if err != nil {
serviceAccounts, ok := service_accounts.JumphostServiceAccountMapping[hostname]
if !ok {
sklog.Fatalf("Hostname not in jumphost mapping: %s", hostname)
sklog.Infof("Obtaining new auth token.")
for _, sa := range serviceAccounts {
if err := processServiceAccount(sa.Nickname); err != nil {