Fixed SaaS related issues for GCP credetnials

Author: bhillkeyfactor

GCPCAS/Client/GCPCASClient.cs

@@ -58,7 +58,8 @@ public class GCPCASClient : IGCPCASClient
     /// <param name="projectId">The GCP project ID where the target GCP CAS CA is located</param>
     /// <param name="caPool">The CA Pool ID in GCP CAS to use for certificate operations. If the CA Pool has resource name <c>projects/my-project/locations/us-central1/caPools/my-pool</c>, this field should be set to <c>my-pool</c></param>
     /// <param name="caId">The CA ID of a CA in the same CA Pool as CAPool. For example, to issue certificates from a CA with resource name <c>projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca</c>, this field should be set to <c>my-ca</c>.</param>
-    public GCPCASClient(string locationId, string projectId, string caPool, string caId)
+    /// <param name="serviceAccountKey">Optional JSON service account key. When provided, used instead of Application Default Credentials.</param>
+    public GCPCASClient(string locationId, string projectId, string caPool, string caId, string serviceAccountKey = null)
     {
         _logger = LogHandler.GetClassLogger<GCPCASClient>();
         _logger.MethodEntry();
@@ -69,8 +70,18 @@ public GCPCASClient(string locationId, string projectId, string caPool, string c
         this._caPool = caPool;
         this._caId = caId;
 
-        _logger.LogTrace($"Setting up a {typeof(CertificateAuthorityServiceClient).ToString()} using the Default gRPC adapter");
-        _client = new CertificateAuthorityServiceClientBuilder().Build();
+        var builder = new CertificateAuthorityServiceClientBuilder();
+        if (!string.IsNullOrEmpty(serviceAccountKey))
+        {
+            _logger.LogTrace("Using provided service account key JSON for authentication");
+            builder.JsonCredentials = serviceAccountKey;
+        }
+        else
+        {
+            _logger.LogTrace($"Setting up a {typeof(CertificateAuthorityServiceClient).ToString()} using Application Default Credentials");
+        }
+
+        _client = builder.Build();
         _logger.MethodExit();
     }
 

GCPCAS/GCPCASCAPlugin.cs

@@ -200,7 +200,7 @@ private void GCPCASClientFromCAConnectionData(Dictionary<string, object> connect
         else
         {
             _logger.LogDebug("Creating new GCPCASClient instance.");
-            Client = new GCPCASClient(_config.LocationId, _config.ProjectId, _config.CAPool, _config.CAId);
+            Client = new GCPCASClient(_config.LocationId, _config.ProjectId, _config.CAPool, _config.CAId, _config.ServiceAccountKey);
         }
 
         if (_config.Enabled)

GCPCAS/GCPCASCAPluginConfig.cs

@@ -33,6 +33,7 @@ public class ConfigConstants
         public const string CAPool = "CAPool";
         public const string CAId = "CAId";
         public const string Enabled = "Enabled";
+        public const string ServiceAccountKey = "ServiceAccountKey";
     }
 
     public class Config
@@ -42,6 +43,7 @@ public class Config
         public string CAPool { get; set; }
         public string CAId { get; set; }
         public bool Enabled { get; set; }
+        public string ServiceAccountKey { get; set; }
     }
 
     public static class EnrollmentParametersConstants
@@ -88,6 +90,13 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
                 DefaultValue = true,
                 Type = "Boolean"
             },
+            [ConfigConstants.ServiceAccountKey] = new PropertyConfigInfo()
+            {
+                Comments = "Optional JSON service account key for GCP authentication. When provided, this is used instead of Application Default Credentials (ADC). This is recommended for containerized environments where mounting a credentials file is not practical. Leave empty to use ADC.",
+                Hidden = false,
+                DefaultValue = "",
+                Type = "String"
+            },
         };
     }
 

docsource/configuration.md

@@ -19,9 +19,19 @@ The [Google Cloud Platform (GCP) CA Services (CAS)](https://cloud.google.com/sec
 
 ## Requirements
 
-### Application Default Credentials
+### GCP Authentication
 
-The GCP CAS AnyCA Gateway REST plugin connects to and authenticates with GCP CAS implicitly using [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials). This means that all authentication-related configuration of the GCP CAS AnyCA Gateway REST plugin is implied by the environment where the AnyCA Gateway REST itself is running.
+The GCP CAS AnyCA Gateway REST plugin supports two methods for authenticating with GCP CAS:
+
+#### Option 1: Service Account Key via CA Connection Configuration (Recommended for Containers)
+
+The plugin accepts an optional **ServiceAccountKey** field in the CA Connection configuration. When provided, the JSON service account key is used directly for authentication without requiring any credential files on the filesystem. This is the recommended approach for containerized deployments (e.g., Docker, Kubernetes) where mounting credential files is not practical.
+
+To use this method, paste the full JSON contents of a GCP service account key into the **ServiceAccountKey** field in the CA Connection tab. In Kubernetes, the service account key JSON can be stored as a Secret and injected via the Keyfactor configuration API.
+
+#### Option 2: Application Default Credentials (ADC)
+
+If the **ServiceAccountKey** field is left empty, the plugin falls back to [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials). This means that all authentication-related configuration is implied by the environment where the AnyCA Gateway REST itself is running.
 
 Please refer to [Google's documentation](https://cloud.google.com/docs/authentication/provide-credentials-adc) to configure ADC on the server running the AnyCA Gateway REST.
 
@@ -32,6 +42,8 @@ Please refer to [Google's documentation](https://cloud.google.com/docs/authentic
 > 1. The service account that the AnyCA Gateway REST runs under must have read permission to the GCP credential JSON file.
 > 2. You must set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable for the Windows Service running the AnyCA Gateway REST using the [Windows registry editor](https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users).
 >     * Refer to the [HKLM\SYSTEM\CurrentControlSet\Services Registry Tree](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree) docs
+>
+> For containerized environments running on GCP (e.g., GKE), [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) can be used instead, which requires no credential files or environment variables.
 
 If the selected ADC mechanism is [Service Account Key](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif-key), it's recommended that a [custom role is created](https://cloud.google.com/iam/docs/creating-custom-roles) that has the following minimum permissions:
 

integration-manifest.json

@@ -32,6 +32,10 @@
                 {
                     "name": "Enabled",
                     "description": "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available."
+                },
+                {
+                    "name": "ServiceAccountKey",
+                    "description": "Optional JSON service account key for GCP authentication. When provided, this is used instead of Application Default Credentials (ADC). Recommended for containerized environments where mounting a credentials file is not practical. Leave empty to use ADC."
                 }
             ],
             "enrollment_config": [