Output namespace and KSA explicitly for Workload Identity Users

To make misconfigurations where e.g. namespace and KSA might be switched easier to spot.
doitintl · Feb 16, 2023 · 9dcc3c2 · 9dcc3c2
1 parent e14a528
commit 9dcc3c2
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/src/gsa.py b/src/gsa.py
@@ -6,6 +6,19 @@
 
 logger = logging.getLogger()
 
+
+def format_wi_user(user):
+    try:
+        match = re.search(r'\[([\w-]+/[\w-]+)\]$', user)
+    except TypeError:
+        match = None
+    if match:
+        namespace, ksa = match.group(1).split('/')
+        return '%s (Namespace: %s, KSA: %s)' % (user, namespace, ksa)
+    else:
+        return '%s (Namespace and KSA could not be determined - wrong binding?)' % user
+
+
 class GsaProject(object):
     """This class represents a GCP Project in which a GSA resides"""
 
@@ -41,7 +54,7 @@ def print_info(self):
         if self.gsa:
             logger.info('Google Service Account: "%s"' % self.gsa_link)
             logger.info('Has the following Workload Identity Users:\n%s' %
-                        '\n'.join(self.wi_users))
+                        '\n'.join(map(format_wi_user, self.wi_users)))
         else:
             logger.info('Google Service Account information could '
                         'not be determined, fix previous issues')