Search code examples
google-cloud-platformjwtopenid-connectpublic-key-encryptionencryption-asymmetric

How do I get Public Key of a User Managed Service account in Google Cloud Platform

I m using a Google Cloud Scheduler to call an external application. Google Cloud Scheduler uses OIDC authentication and uses a service account. I could get only the service account's private key from Google Service Accounts UI Console page. How do I get the public of that user managed service account?

I found the public key of this service account by pasting the Bearer token here : https://jwt.io/

But , is this the only way to get it public key of a service account? Is there any other way to get this ? (like libraries, etc) ? Is there any way to get this from Google utils or gcloud or Google console?

In one of the sites it was mentioned that "The public key can be widely distributed, so every consumer of the token can verify its integrity." .So, where is this Google service account's public key distributed to ? is there a server/place where all Google service account public keys are stored?

Also, there is an option to embed the public key as part of the jwt token. If I get a bearer token from google cloud scheduler, how do I know if it has embedded public key or not? or is it distributed public key ?

Thanks in advance for any support!

Regards

P.S: I read through these but not very helpful:

1.Get developer keys for Google Cloud Service Accounts 2. https://www.pingidentity.com/fr/company/blog/posts/2019/the-hard-parts-of-jwt-security-nobody-talks-about.html

Solution

  • According to the official documentation:

    Creating and managing service account keys

    Google ensures that all public keys for all service accounts are publicly accessible by anyone and available to verify signatures that are created with the private key. The public key is publicly accessible at the following URLs:

    1.x.509 certificate: https://www.googleapis.com/service_accounts/v1/metadata/x509/[SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com

    2.JSON web key (JWK): https://www.googleapis.com/service_accounts/v1/jwk/[SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com

    3.Raw endpoint: https://www.googleapis.com/service_accounts/v1/metadata/raw/[SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com

    I used curl to access the URLs:

      curl -i  https://www.googleapis.com/service_accounts/v1/jwk/[SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com

    {
"keys": [
  {
    "e": "xxxx",
    "kty": "xxx",
    "alg": "xxxx",
    "n": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "use": "xxx",
    "kid": "xxxxxxxxxxxxxxxx"
  }
]
}

    Or to access the raw endpoint:

         curl -i https://www.googleapis.com/service_accounts/v1/metadata/raw/[SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com

       {
 "keyvalues": [
   {
     "exponent": "xxx",
     "keyid": "xxxxxxxxxxx",
     "modulus": "xxxxxxxxxxx",
     "algorithm": "xxx"
   }
 ]
}