googlearchive · martinmaly · Feb 12, 2018 · Feb 11, 2018 · mihnjong · Feb 11, 2018
diff --git a/installer/pkg/cmd/gcp_broker.go b/installer/pkg/cmd/gcp_broker.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"crypto/md5"
 	"encoding/base32"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -116,6 +117,8 @@ func addGCPBroker() error {
 
 	vb, err := getOrCreateVirtualBroker(projectID, "default", "Default Broker")
 	if err != nil {
+		// Clean up the newly generated key if the command failed.
+		cleanupNewKey(brokerSAEmail, key)
 		return fmt.Errorf("error retrieving or creating default broker : %v", err)
 	}
 
@@ -126,11 +129,15 @@ func addGCPBroker() error {
 
 	err = generateGCPBrokerConfigs(dir, data)
 	if err != nil {
+		// Clean up the newly generated key if the command failed.
+		cleanupNewKey(brokerSAEmail, key)
 		return fmt.Errorf("error generating configs for GCP :: %v", err)
 	}
 
 	err = deployGCPBrokerConfigs(dir)
 	if err != nil {
+		// Clean up the newly generated key if the command failed.
+		cleanupNewKey(brokerSAEmail, key)
 		return fmt.Errorf("error deploying GCP broker configs :%v", err)
 	}
 
@@ -280,6 +287,25 @@ func httpAdapterFromAuthKey(keyFile string) (*adapter.HttpAdapter, error) {
 	return adapter.NewHttpAdapter(client), nil
 }
 
+// cleanupNewKey removes the newly generated service account key.
+func cleanupNewKey(email, key string) {
+	keyBytes, err := base64.StdEncoding.DecodeString(key)
+	if err != nil {
+		// Silently return if there is an error decoding the newly generated key.
+		return
+	}
+
+	keyJson := make(map[string]interface{})
+	err = json.Unmarshal(keyBytes, &keyJson)
+	if err != nil {
+		// Silently return if there is an error unmarshalling the key.
+		return
+	}
+
+	keyID := keyJson["private_key_id"].(string)
+	gcp.RemoveServiceAccountKey(email, keyID)
+}
+
 func NewRemoveGCPBrokerCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "remove-gcp-broker",
@@ -348,7 +374,7 @@ func removeGCPBroker() error {
 	}
 
 	// Clean up all the associated keys.
-	err = gcp.RemoveServiceAccountKeys(brokerSAEmail)
+	err = gcp.RemoveAllServiceAccountKeys(brokerSAEmail)
 	if err != nil {
 		return err
 	}

diff --git a/installer/pkg/gcp/broker.go b/installer/pkg/gcp/broker.go
@@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os/exec"
+	"strconv"
 	"strings"
 	"time"
 )
@@ -153,7 +154,8 @@ type saKey struct {
 	ValidBeforeTime string `json:"validBeforeTime"`
 }
 
-func RemoveServiceAccountKeys(email string) error {
+// RemoveAllServiceAccountKeys removes all the keys associated with the service account.
+func RemoveAllServiceAccountKeys(email string) error {
 	cmd := exec.Command("gcloud", "iam", "service-accounts", "keys", "list", "--iam-account", email, "--format=json")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
@@ -182,18 +184,23 @@ func RemoveServiceAccountKeys(email string) error {
 
 		life := et.Sub(bt)
 		if life > 365*24*time.Hour {
-			cmd := exec.Command("gcloud", "iam", "service-accounts", "keys", "delete", k.Name, "--iam-account", email, "--quiet" /*disable interactive mode*/)
-			out, err := cmd.CombinedOutput()
-			if err != nil {
-				fmt.Printf("failed to delete service account key: %s : %v\n", string(out), err)
-				fmt.Printf("WARNING: Please clean up the key from service account %s", email)
-			}
+			RemoveServiceAccountKey(email, k.Name)
 		}
 	}
 
 	return nil
 }
 
+// RemoveServiceAccountKey removes the given key from the service account.
+func RemoveServiceAccountKey(email, keyID string) {
+	cmd := exec.Command("gcloud", "iam", "service-accounts", "keys", "delete", keyID, "--iam-account", email, "--quiet" /*disable interactive mode*/)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		fmt.Printf("failed to delete service account key: %s : %v\n", string(out), err)
+		fmt.Printf("WARNING: Please clean up the key from service account %s", email)
+	}
+}
+
 // GetConfigValue returns a property value from given section of gcloud's
 // default config.
 func GetConfigValue(section, property string) (string, error) {