Support Google Secrets from projects other than the WIF pool one

As noted in gitlab-org/gitlab-runner#37487, there is currently no way to reference a secret from a project other than the one containing the WIF pool despite Google supporting this. Extend the interpretation of `gcp_secret_manager:name:` to allow fully-qualified secret resource names. If the secret name matches the pattern `projects/*/secrets/*`, we use it as the full resource name otherwise we fall back to the existing behaviour of interpolating the project id used to construct the WIF audience.

Support Google Secrets from projects other than the WIF pool one
c426e99f · Rich Wareham · 295c6c7a · c426e99f
Commit c426e99f authored 1 year ago by Rich Wareham
--- a/helpers/gcp_secret_manager/service/gcp_secret_manager.go
+++ b/helpers/gcp_secret_manager/service/gcp_secret_manager.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"hash/crc32"
+	"path/filepath"

 	sm "cloud.google.com/go/secretmanager/apiv1"
 	smpb "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
@@ -97,8 +98,13 @@ func access(ctx context.Context, secret *common.GCPSecretManagerSecret, source o
 		return nil, fmt.Errorf("unable to create secrets manager client: %w", err)
 	}

+	resourceName, err := secretVersionResourceName(secret)
+	if err != nil {
+		return nil, fmt.Errorf("unable to extract secret version resource name: %w", err)
+	}
+
 	smAccessSecretVersionRequest := &smpb.AccessSecretVersionRequest{
-		Name: secretVersionResourceName(secret),
+		Name: resourceName,
 	}

 	return smClient.AccessSecretVersion(ctx, smAccessSecretVersionRequest)
@@ -111,8 +117,18 @@ func toTokenSource(resp *sts.GoogleIdentityStsV1ExchangeTokenResponse) oauth2.To
 	})
 }

-func secretVersionResourceName(secret *common.GCPSecretManagerSecret) string {
-	return fmt.Sprintf("projects/%s/secrets/%s/versions/%s", secret.Server.ProjectNumber, secret.Name, secret.Version)
+func secretVersionResourceName(secret *common.GCPSecretManagerSecret) (string, error) {
+	// Support secrets where the full secret resource path is provided.
+	isSecretResourceName, err := filepath.Match("projects/*/secrets/*", secret.Name)
+	if err != nil {
+		return "", err
+	}
+	if isSecretResourceName {
+		return fmt.Sprintf("%s/versions/%s", secret.Name, secret.Version), nil
+	}
+
+	// Any other secret format is considered to be a plain secret id.
+	return fmt.Sprintf("projects/%s/secrets/%s/versions/%s", secret.Server.ProjectNumber, secret.Name, secret.Version), nil
 }

 func validChecksum(payload *smpb.SecretPayload) bool {